Setup SSL authentication

I am following the Vertica 7.1 documentation Administrators Guide/Implementing Security/Client Authentication.  I have followed documentation to create server certificate, private key, and root certificate.  I use admin tools to distribute to each node in my 3 node cluster.  My cluster is Centos 6.5 and has the VMart schema installed.  After the configuration parameter EnableSSL is set, the documentation then says to restart the database.  This is where I encounter problems.  I am using admin tools to stop/start database.  It won't start. 

The Vertica.log shows the following messages that may be helpful:

2014-10-07 14:51:37.761 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 00000/2705: Connection received: host= port=46468 (connCnt 1)
2014-10-07 14:51:37.761 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 00000/4540: Received SSL negotiation startup packet
2014-10-07 14:51:37.761 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 00000/4691: Sending SSL negotiation response 'S'
2014-10-07 14:51:37.782 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 08V01/2805: Could not accept SSL connection: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
2014-10-07 14:51:37.782 Init Session:0x7ff60000fc80 <FATAL> @v_vmart_node0002: {SessionRun} 08006/4777: SSL initialization failure
        LOCATION:  ProcessStartupPacket, /scratch_a/release/vbuild/vertica/Session/ClientSession.cpp:3710

I then go to each node in the cluster and edit Vertica.conf to set EnableSSL=0 and I can start the instance. 

I've tried this 3 times now creating new certificates each time.  Any help would be appreciated.


  • Options
    wwong2wwong2 Employee
    Try setting the new parameters manually,

    Please follow the below steps to enable SSL on your 7.1 database. This will require a restart at the end.

    Login to VSQL using dbadmin user from any of the nodes and execute the below steps after replacing the necessary values

    1. SELECT SET_CONFIG_PARAMETER('SSLPrivateKey', '<contents of server.key file>');
    Below is just an example. Kindly use the content of your server.key and copy complete content of it.

    -----END PRIVATE KEY-----

    2. SELECT SET_CONFIG_PARAMETER('SSLCertificate', '<contents of server.crt file>');
    Below is just an example. Kindly use the content of your server.crt and copy complete content of it.

    -----END CERTIFICATE-----


    4. Kindly stop and start the database.
    5. To verify if SSL is enabled, you can check the EnableSSL = 1 and other two parameters (SSLPrivateKey, SSLCertificate) as well in the vertica.conf and can also query the below
    VSQL=> select ssl_state from sessions;
    (1 row)

    The output 'Server' confirms that SSL is enabled.
  • Options
    Hi Jonathan,
    Here's another possible solution:

    There are two modes related to SSL/TLS: SSL Server Mode, and SSL Mutual Mode.  The log forwarded indicates that the server side is expecting a client certificate to be passed to it, but there is no indication that you are using SSL Mutual Mode.  If you were using SSL Mutual mode, you would need to create and install a client certificate on the client side.  As a fix, if you are not using SSL mutual mode, do not set the SSLCA configuration parameter.

    Hope this helps!

  • Options

    Thank you for your quick response.  However, I should mention that I am Vertica Community Edition - Vertica Analytic Database v7.0.2-1.  Your suggestion isn't possible as that appears to be a Vertica 7.1 feature.  There are no such configuration parameters in 7.0. 

    I can confirm that the certificates are in the correct location; the databases' catalog directory on each node in the cluster.  I can confirm that the certificates have the correct permission as well; they are owned by the dbadmin user and only the owner has rw permission on the files. 

    Any other suggestions?

  • Options
    7.0 should work pretty much the same way, sans the new parameters (which did not exist until 7.1).  Instead of not setting the SSLCA parameter (which does not exist), try not distributing the root.crt file to each client. 

  • Options
    No client certificate is need in server mode so removing the root.crt file from the server’s catalog should solve the problem because its existence there activates the mutual mode. If you remove root.crt from the server’s catalog directory, the server will only try to run in SSL server mode, and that should fix the problem.

  • Options

    I was able to get SSL Server mode working.

    • admintools fails to distribute the SSL files if you don't include a root.crt.  I had to go to each node and delete it.  I guess you could also distribute them manually to each node.  I was then able to EnableSSL mode and restart the database successfully without the root.crt. 
    • For the client authentication piece, I am using Aqua Data Studio on a Windows workstation as a sample client.  I had to put root.crt on the client machine and add it to the Java Virtual Machine using the java keytool program.  After some trial and error, and much to my surprise, this all worked and I see my client session in the sessions system table has ssl_state = Server. 

    I ultimately want to get SSL Mutual Mode working.  I think I'll try and upgrade to 7.1 using a valid license key before moving on to this piece.

    Thanks for your help. 

  • Options


    I am also facing same issue. I tried to distribute SSL and its updated in all nodes. After that I could not start the database and I am getting the same error


    Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 08V01/2805: Could not accept SSL connection: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate


    I manually edit vertica.conf and set "EnableSSL =0" and tried to start database from admin tools but still I could not make it up and running. After restarting database I checked the vertica.conf and still the value is "EnableSSL = 1". Strange issue. Please help.







  • Options



    Just have a quick question. When i am using SSL Server Mode, for JDBC as well as ODBC connection do i need to setup the trsutstore for jdbc and datasouce for ODBC.


    Do i need to pass as "SSL=true" for acquring JDBC or ODBC client connection?

    or just server.crt and server.key file is enoug at the server and and there is no change needed at the client end.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file