Configuring client-server TLS

Vertica offers two connection modes for client-server TLS:.

Vertica offers two connection modes for client-server TLS:

  • In Server Mode, the client must verify the host's certificate. Hosts must have a server private key and certificate.

  • In Mutual Mode, the client and host must each verify the other's certificate. Hosts must have a server private key, server certificate, and CA certificate(s).

Client-server TLS secures the connection step between Vertica and clients, not the following authentication step to authenticate these clients as users in the database. To configure authentication for TLS connections or to reject plaintext connections, see TLS authentication.

Setting certificates with TLS configuration

This procedure creates keys and certificates for client-server TLS and sets them in the predefined TLS Configuration server, which is the default TLS configuration for ServerTLSConfig. To create a custom TLS configuration, see TLS configurations.

  1. Generate or import the following according to your use case:

    • Server Mode: server certificate private key, server certificate

    • Mutual Mode: server certificate private key, server certificate, CA certificate(s)

  2. Run the following commands according to your desired configuration. New connections will use TLS.

    • To use Server Mode, set the server certificate for the server's TLS Configuration:

      => ALTER TLS CONFIGURATION server CERTIFICATE server_cert;
      
    • To use Mutual Mode, set a server and CA certificate. This CA certificate is used to verify client certificates:

      => ALTER TLS CONFIGURATION server CERTIFICATE server_cert ADD CA CERTIFICATES ca_cert;
      

      To use multiple CA certificates, separate them with commas:

      => ALTER TLS CONFIGURATION server CERTIFICATE server_cert
         ADD CA CERTIFICATES intermediate_ca_cert, ca_cert;
      
  3. Enable TLS (disabled by default). Choose one of the following TLSMODEs, listed in ascending security.

    • DISABLE: Disables TLS. All other options for this parameter enable TLS.

    • ENABLE: Enables TLS. Vertica does not verify client certificates.

    • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

      • The client presents a valid certificate.
      • The client doesn't present a certificate

      If the client presents an invalid certificate, the connection is rejected.

    • VERIFY_CA: Connection succeeds if Vertica verifies that the client certificate is from a trusted CA. If the client does not present a client certificate, the connection is rejected.

    TLS Configurations also support the TLSMODE VERIFY_FULL, but this TLSMODE is unsupported for client-server TLS (the connection type handled by ServerTLSConfig) and behaves like VERIFY_CA.

    For Server Mode, choose ENABLE:

    => ALTER TLS CONFIGURATION server TLSMODE 'ENABLE';
    

    For Mutual Mode, choose TRY_VERIFY or higher:

    => ALTER TLS CONFIGURATION server TLSMODE 'VERIFY_CA';
    
  4. Verify that the ServerTLSConfig parameter is set to the server TLS Configuration:

    => SHOW CURRENT ServerTLSConfig;
      level  |      name        | setting
    ---------+------------------+---------
     DEFAULT | ServerTLSConfig  | server
    (1 row)
    

    If not, set the ServerTLSConfig parameter:

    => ALTER DATABASE DEFAULT SET ServerTLSConfig = 'server';
    

See also