CREATE TLS CONFIGURATION
Creates a TLS Configuration object. For information on existing TLS Configuration objects, query TLS_CONFIGURATIONS.
To modify an existing TLS Configuration object, see ALTER TLS CONFIGURATION.
Syntax
CREATE TLS CONFIGURATION tls_config_name {
[ CERTIFICATE { NULL | cert_name } ]
[ CA CERTIFICATES ca_cert_name [,...] ]
[ CIPHER SUITES { '' | 'openssl_cipher [,...]' } ]
[ TLSMODE 'tlsmode' ]
}
Parameters
tls_config_name- The name of the TLS Configuration object.
cert_name- A certificate created with CREATE CERTIFICATE.
ca_cert_name- A CA certificate created with CREATE CERTIFICATE.
openssl_cipher- A comma-separated list of cipher suites to use instead of the default set of cipher suites. Providing an empty string for this parameter clears the alternate cipher suite list and instructs the specified TLS Configuration to use the default set of cipher suites.
To view enabled cipher suites, use LIST_ENABLED_CIPHERS.
tlsmode- How OpenText™ Analytics Database establishes TLS connections and handles client certificates, one of the following, in order of ascending security:
-
DISABLE: Disables TLS. All other options for this parameter enable TLS. -
ENABLE: Enables TLS. The database does not check client certificates. -
TRY_VERIFY: Attempts to establish a TLS connection if either of the following is true:-
the remote host presents a valid certificate
-
the remote host does not present a certificate
If the remote host presents an invalid certificate, the connection is rejected.
-
-
VERIFY_CA: The connection succeeds only if the database verifies that the remote host's certificate is issued by a trusted CA. If the remote host does not present a certificate, or the certificate is invalid, the connection is rejected. -
VERIFY_FULL: Connection succeeds if the database verifies that the remote host's certificate is from a trusted CA and the certificate'scn(Common Name) orsubjectAltNameattribute matches the hostname or IP address of the remote host.Note that for client certificates,
cnis used for the username, sosubjectAltNamemust match the hostname or IP address of the remote host.
VERIFY_FULLis unsupported for client-server TLS (theserverTLS Configuration context) and behaves asVERIFY_CA. -