TLS_CONFIGURATIONS

Lists settings for TLS Configuration objects for the server, LDAP, etc.

Lists settings for TLS Configuration objects for the server, LDAP, etc.

Column Name Data Type Description
NAME VARCHAR

Name of the TLS Configuration. OpenText™ Analytics Database includes the following TLS Configurations by default:

  • server

  • LDAPLink

  • LDAPAuth

  • data_channel

OWNER VARCHAR Owner of the TLS Configuration object.
CERTIFICATE VARCHAR The certificate associated with the TLS Configuration object.
CA_CERTIFICATES VARCHAR

The CA certificate(s) used to verify client certificates.

In cases where a TLS Configuration uses more than one CA, each CA will have its own row in the table.

CIPHER_SUITES VARCHAR The cipher suites to used to secure the connection.
MODE VARCHAR

How the database establishes TLS connections with another host, one of the following, in order of ascending security:

  • DISABLE: Disables TLS. All other options for this parameter enable TLS.

  • ENABLE: Enables TLS. The database does not check client certificates.

  • TRY_VERIFY: Attempts to establish a TLS connection if either of the following is true:

    • the remote host presents a valid certificate

    • the remote host does not present a certificate

    If the remote host presents an invalid certificate, the connection is rejected.

  • VERIFY_CA: The connection succeeds only if the database verifies that the remote host's certificate is issued by a trusted CA. If the remote host does not present a certificate, or the certificate is invalid, the connection is rejected.

  • VERIFY_FULL: Connection succeeds if the database verifies that the remote host's certificate is from a trusted CA and the certificate's cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the remote host.

    Note that for client certificates, cn is used for the username, so subjectAltName must match the hostname or IP address of the remote host.

VERIFY_FULL is unsupported for client-server TLS (the connection type handled by ServerTLSConfig) and behaves as VERIFY_CA.

Examples

In this example, the LDAPAuth TLS Configuration uses two CA certificates:

=> SELECT * FROM tls_configurations WHERE name='LDAPAuth';
    name   |  owner  | certificate | ca_certificate | cipher_suites |  mode
----------+---------+-------------+----------------+---------------+---------
 LDAPAuth | dbadmin | server_cert | ca             |               | DISABLE
 LDAPAuth | dbadmin | server_cert | ica            |               | DISABLE
(2 rows)

To make more clear the relationship between a TLS Configuration and its CA certificates, you can format the query with LISTAGG:

=> SELECT name, owner, certificate, LISTAGG(ca_certificate) AS ca_certificates, cipher_suites, mode
FROM tls_configurations
WHERE name='LDAPAuth'
GROUP BY name, owner, certificate, cipher_suites, mode
ORDER BY 1;
   name   |  owner  | certificate | ca_certificates | cipher_suites |  mode
----------+---------+-------------+-----------------+---------------+---------
 LDAPAuth | dbadmin | server_cert | ca,ica          |               | DISABLE
(1 row)