Determining the TLS mode of the database

When you configure OpenText™ Analytics Database for TLS through the Management Console, you must configure the security mode to match what the database is configured to require: server mode or mutual mode.

When you configure OpenText™ Analytics Database for TLS through the Management Console, you must configure the security mode to match what the database is configured to require: server mode or mutual mode.

To determine the TLS mode for existing sessions, query the SESSIONS system table:

=> SELECT session_id, user_name, ssl_state FROM sessions;
           session_id            | user_name | ssl_state
---------------------------------+-----------+-----------
 v_vmart_node0001-333611:0x1ab   | dbadmin   | mutual

To determine the database's client-server TLS configuration, query the TLS_CONFIGURATIONS system table for the "server":

=> SELECT name, certificate, ca_certificates, mode FROM tls_configurations WHERE name = 'server';
  name  |   certificate    |   ca_certificates   |   mode
--------+------------------+---------------------+-----------
 server | server_cert      | ca_cert,ica_cert    | VERIFY_CA
(1 row)

The "mode" can be one of the following, in ascending security:

  • DISABLE: Disables TLS. All other options for this parameter enable TLS.

  • ENABLE: Enables TLS. The database does not check client certificates.

  • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

    • the other host presents a valid certificate

    • the other host doesn't present a certificate

    If the other host presents an invalid certificate, the connection will use plaintext.

  • VERIFY_CA: Connection succeeds if the database verifies that the other host's certificate is from a trusted CA. If the other host does not present a certificate, the connection uses plaintext.

  • VERIFY_FULL: Connection succeeds if the database verifies that the other host's certificate is from a trusted CA and the certificate's cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the other host.

    Note that for client certificates, cn is used for the username, so subjectAltName must match the hostname or IP address of the other host.

Mutual mode corresponds to TRY_VERIFY or higher, which indicates that the database is in mutual mode. In mutual mode, the database sends its server certificate to the client for verification, and uses the CA certificates (in this case, "ca_cert" and "ica_cert") to verify client certificates.

In contrast, a server mode configuration (which doesn't verify client certificates) might have the following TLS configuration instead:

=> SELECT name, certificate, ca_certificates, mode FROM tls_configurations WHERE name = 'server';
  name  |   certificate    |   ca_certificates   |   mode
--------+------------------+---------------------+-----------
 server | server_cert      |                     | ENABLE
(1 row)