Control channel Spread TLS

The control channel allows nodes to exchange plan information with one another, and to distribute calls among nodes.

The control channel allows nodes to exchange plan information with one another and to distribute calls among nodes. Enabling Spread security secures this communication with TLS. See Internode TLS for more information.

Internode TLS uses the following channels. Both must be enabled in the following order before you set other parameters:

  1. Control Channel, implemented with Spread, which allows nodes to exchange plan information and distribute calls. For details, see spread.org.

  2. Data Channel, implemented with TCP, which allows nodes to exchange table data.

Enable EncryptSpreadComm

EncryptSpreadComm controls Spread encryption and can be set to one of two values:

  • vertica: Vertica generates the Spread encryption key for the cluster when the database starts up.

  • aws-kms|key_name: Vertica fetches the user-specified key from the AWS Key Management Service when the database starts up, rather than generating one itself.

You can verify the current value of EncryptSpreadComm with SECURITY_CONFIG_CHECK:

=> SELECT SECURITY_CONFIG_CHECK('NETWORK');

In general, you should set the EncryptSpreadComm parameter to enable Spread encryption before setting any other security parameters.

To create a new database with EncryptSpreadComm set:

$ admintools -t create_db -d my_db -s 192.0.2.100, 192.0.2.101, 192.0.2.10 \
    -c '/catalog/path' --config-param EncryptSpreadComm='aws-kms|abcde123-ab12-1234-abcd-abcde1234567'

To set EncryptSpreadComm on an existing database:

  1. Set EncryptSpreadComm parameter with ALTER DATABASE: 
    => ALTER DATABASE DEFAULT SET PARAMETER EncryptSpreadComm = 'vertica';
  2. Restart the database.
  3. Verify your settings with SECURITY_CONFIG_CHECK. 
    => SELECT SECURITY_CONFIG_CHECK('NETWORK');
-------------------------------------------
 Spread security details:
* EncryptSpreadComm = [vertica]
Spread encryption is enabled
It is now safe to set/change other security knobs

Privileges

Superuser

Restrictions

If you set this parameter on an existing database with ALTER DATABASE, you must restart the database for it to take effect.

See also