Applying chain of CA certificates to the agent

This page provides information about applying a chain of CA certificates to the agent.

You can now apply multiple certificates to your agent. You can configure the agent to present the CA chain along with the server certificate during TLS handshake.

  1. Stop the agent on the Vertica node.

    $ sudo /opt/vertica/sbin/vertica_agent stop
    
    New invocation of vertica_agent. Called with 1 arguments: stop
    Stopping vertica agent:
    $
    
  2. Back up agent certificates from the Vertica node.

    $ cd /opt/vertica/config/share
    $ mv agent.cert agent.cert.bck
    $ mv agent.key agent.key.bck
    $ mv agent.pem agent.pem.bck
    $ ls
    agent.cert.bck  agent.key.bck   agent.pem.bck   license.key
    
  3. Create a chain of CA certificates. For more information, see Generating TLS certificates and keys.

    => CREATE KEY SSCA_key TYPE 'RSA' LENGTH 2048;
    => CREATE CA CERTIFICATE SSCA_cert
       SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=OpenText/OU=Vertica/CN=Vertica Root CA'
       VALID FOR 3650
       EXTENSIONS 'nsComment' = 'Self-signed root CA cert'
       KEY SSCA_key;
    => CREATE KEY intermediate_key TYPE 'RSA' LENGTH 2048; 
    => CREATE CA CERTIFICATE intermediate_ca_cert
       SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=OpenText/OU=Vertica/CN=Vertica intermediate CA'
       SIGNED BY SSCA_cert
       KEY intermediate_key;
    => CREATE KEY internode_key TYPE 'RSA' LENGTH 2048;
    => CREATE CERTIFICATE internode_cert
       SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=OpenText/OU=Vertica/CN=data channel'
       SIGNED BY intermediate_ca_cert
       EXTENSIONS 'nsComment' = 'Vertica internode cert', 'extendedKeyUsage' = 'serverAuth, clientAuth'
       KEY internode_key; 
    
  4. Enable TLS mode to verify the newly created certificates.

    => ALTER TLS CONFIGURATION data_channel CERTIFICATE internode_cert TLSMODE 'TRY_VERIFY’;
    => select * from tls_configurations;
      name       |  owner | certificate  | ca_certificate | cipher_suites| mode     
    -------------+--------+--------------+----------------+--------------+--------
     server      |dbadmin |              |                |              | DISABLE
    LDAPLink     |dbadmin |              |                |              | DISABLE
    LDAPAuth     |dbadmin |              |                |              | DISABLE
    data_channel |dbadmin |internode_cert| SSCA_Cert      |              |TRY_VERIFY 
      (4 rows)
    
  5. Create the agent.cert file.

    $ select certificate_text  FROM certificates where name='SSCA_cert';
    $ select certificate_text FROM certificates where name='intermediate_ca_cert';
    $ select  certificate_text FROM certificates where name='internode_cert';
    $ cd /opt/vertica/config/share
    

    Edit the agent.cert file.

    
    $ cat agent.cert
    
  6. Create the agent.key file.

    $ select key from cryptographic_keys where name='SSCA_key';
    $ select key from cryptographic_keys where name='intermediate_key';
    $ select key from cryptographic_keys where name='internode_key';
    $ sudo vi agent.key
    $ cd /opt/vertica/config/share
    

    Edit the agent.cert file.

    
    $ cat agent.key
    
  7. Generate the agent.pem file from the agent.cert file.

    $ openssl x509 -in agent.cert -out agent.pem -outform PEM
    $ ls
    agent.cert  agent.cert.bck  agent.key   agent.key.bck   agent.pem   agent.pem.bck   license.key
    
  8. Ensure that agent.cert, agent.key and agent.pem files are available in /opt/vertica/config/share.

  9. Start the Vertica agent on the node.

    $ sudo /opt/vertica/sbin/vertica_agent start 
    
  10. Move all agent certificates to other machines in the cluster. Ensure that target machines have read and write permissions for agent certificates.

    $ ls -altr /opt/vertica/config/share
    agent.cert  agent.cert.bck  agent.key   agent.key.bck   agent.pem   agent.pem.bck
    $ chmod -R 600 /opt/vertica/config/share/agent.*
    $ scp agent.* dbadmin@<privateip>:/opt/vertica/config/share/
    

    where privateip is a non-internet facing IP address used in an internal network. For example, <10.11.12.157> could be your privateip.

  11. Restart the Vertica agent on the cluster machines.

    $ sudo /opt/vertica/sbin/vertica_agent status
    $ sudo /opt/vertica/sbin/vertica_agent stop
    $ sudo /opt/vertica/sbin/vertica_agent start
    
  12. Check the newly-applied certificates.

    $ openssl s_client -prexit -connect localhost:5444
    
  13. Download the agent.pem file from /opt/vertica/config/share to a folder on your local machine.

  14. Upload the agent.pem file in the MC Settings page.

    • Navigate to Home > MC Settings > SSL/TLS Certificates.
    • In the Manage Authentication Certifcates area, click Add New Certificate and choose Agent.
    • Click Browse to select the agent.pem file.
    • Click Add New Certificate.
    • Click Restart MC.
  15. Import the Vertica node to MC. For more information, see Importing an existing database into MC.