TLS configurations

A TLS Configuration is a database object that encapsulates all settings and certificates needed to configure TLS.

A TLS Configuration is a database object that encapsulates all settings and certificates needed to configure TLS. After setting up a TLS Configuration, you can use it by setting it as the value for one or more of the following database parameters, each of which controls TLS for a certain type of connection between the Vertica database and a client or server:

ServerTLSConfig
LDAPLinkTLSConfig
LDAPAuthTLSConfig
InternodeTLSConfig

These parameters are set to predefined TLS Configurations by default so if you just want to configure TLS, you should use ALTER TLS CONFIGURATION to modify a predefined TLS Configuration. Otherwise, you can use CREATE TLS CONFIGURATION to create a custom TLS Configuration.

Reusing an existing TLS configurations

To reuse an existing TLS Configuration, use ALTER TLS CONFIGURATION.

The following table lists each TLS connection type parameter with its associated connection type and predefined TLS Configuration:

Note

For OAuth, Vertica is the client and the identity provider is the server. TLS for this connection type is not controlled by a TLS Configuration. For details, see Configure Keycloak.

Connection Type	Parameter	Default TLS Configuration	Example
Client-server where Vertica is the server	ServerTLSConfig	`server`	Configuring client-server TLS
Connections for the LDAP Link service	LDAPLinkTLSConfig	`LDAPLink`	TLS for LDAP link
Connections between Vertica and an LDAP server to authenticate users	LDAPAuthTLSConfig	`LDAPAuth`	TLS for LDAP authentication
Connections between Vertica nodes	InternodeTLSConfig	`data_channel`	Internode TLS

Creating custom TLS configurations

You can create TLS Configurations with CREATE TLS CONFIGURATION.

The following example creates a TLS Configuration and enables it for client-server TLS by setting it in ServerTLSConfig:

Create the keys and certificates:


-- create CA certificate
=> CREATE KEY k_ca TYPE 'RSA' LENGTH 4096;
=> CREATE CA CERTIFICATE ca
   SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Root CA'
   VALID FOR 3650
   EXTENSIONS 'nsComment' = 'Vertica generated root CA cert'
   KEY k_ca;

-- create server certificate
=> CREATE KEY k_server TYPE 'RSA' LENGTH 2048;
=> CREATE CERTIFICATE server
    SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Cluster/emailAddress=example@example.com'
    SIGNED BY ca
    KEY k_server;

Create the TLS Configuration with the server's certificate:

=> CREATE TLS CONFIGURATION new_tls_config CERTIFICATE server TLSMODE 'ENABLE';

Set the ServerTLSConfig parameter to use the new TLS Configuration for client-server TLS:
```
=> ALTER DATABASE DEFAULT SET ServerTLSConfig = 'new_tls_config';
```