Setup SSL authentication
I am following the Vertica 7.1 documentation Administrators Guide/Implementing Security/Client Authentication. I have followed documentation to create server certificate, private key, and root certificate. I use admin tools to distribute to each node in my 3 node cluster. My cluster is Centos 6.5 and has the VMart schema installed. After the configuration parameter EnableSSL is set, the documentation then says to restart the database. This is where I encounter problems. I am using admin tools to stop/start database. It won't start.
The Vertica.log shows the following messages that may be helpful:
2014-10-07 14:51:37.761 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 00000/2705: Connection received: host=143.122.35.121 port=46468 (connCnt 1)
2014-10-07 14:51:37.761 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 00000/4540: Received SSL negotiation startup packet
2014-10-07 14:51:37.761 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 00000/4691: Sending SSL negotiation response 'S'
2014-10-07 14:51:37.782 Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 08V01/2805: Could not accept SSL connection: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
2014-10-07 14:51:37.782 Init Session:0x7ff60000fc80 <FATAL> @v_vmart_node0002: {SessionRun} 08006/4777: SSL initialization failure
LOCATION: ProcessStartupPacket, /scratch_a/release/vbuild/vertica/Session/ClientSession.cpp:3710
I then go to each node in the cluster and edit Vertica.conf to set EnableSSL=0 and I can start the instance.
I've tried this 3 times now creating new certificates each time. Any help would be appreciated.
Comments
Please follow the below steps to enable SSL on your 7.1 database. This will require a restart at the end.
Login to VSQL using dbadmin user from any of the nodes and execute the below steps after replacing the necessary values
1. SELECT SET_CONFIG_PARAMETER('SSLPrivateKey', '<contents of server.key file>');
Below is just an example. Kindly use the content of your server.key and copy complete content of it.
SELECT SET_CONFIG_PARAMETER('SSLPrivateKey', '-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL2z50jxQAkzaWp5
CiigJOdXOQ6nf90=
-----END PRIVATE KEY-----
');
2. SELECT SET_CONFIG_PARAMETER('SSLCertificate', '<contents of server.crt file>');
Below is just an example. Kindly use the content of your server.crt and copy complete content of it.
SELECT SET_CONFIG_PARAMETER('SSLCertificate', '-----BEGIN CERTIFICATE-----
MIICUjCCAbugAwIBAgIJAPBlEldOGPZHMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
+JPSkjhqysIiC+qrJz1KT09Y8S5uFJ8uvGx1khdXlcykF4CTWovhR9U8IvBzpHNc
Vkyi4XUaS0B7Q/d6JRRjZRRiVrjR9Q==
-----END CERTIFICATE-----
');
3. SELECT SET_CONFIG_PARAMETER('EnableSSL', '1');
4. Kindly stop and start the database.
5. To verify if SSL is enabled, you can check the EnableSSL = 1 and other two parameters (SSLPrivateKey, SSLCertificate) as well in the vertica.conf and can also query the below
VSQL=> select ssl_state from sessions;
ssl_state
-----------
Server
(1 row)
The output 'Server' confirms that SSL is enabled.
Here's another possible solution:
There are two modes related to SSL/TLS: SSL Server Mode, and SSL Mutual Mode. The log forwarded indicates that the server side is expecting a client certificate to be passed to it, but there is no indication that you are using SSL Mutual Mode. If you were using SSL Mutual mode, you would need to create and install a client certificate on the client side. As a fix, if you are not using SSL mutual mode, do not set the SSLCA configuration parameter.
Hope this helps!
Thank you for your quick response. However, I should mention that I am Vertica Community Edition - Vertica Analytic Database v7.0.2-1. Your suggestion isn't possible as that appears to be a Vertica 7.1 feature. There are no such configuration parameters in 7.0.
I can confirm that the certificates are in the correct location; the databases' catalog directory on each node in the cluster. I can confirm that the certificates have the correct permission as well; they are owned by the dbadmin user and only the owner has rw permission on the files.
Any other suggestions?
No client certificate is need in server mode so removing the root.crt file from the server’s catalog should solve the problem because its existence there activates the mutual mode. If you remove root.crt from the server’s catalog directory, the server will only try to run in SSL server mode, and that should fix the problem.
I was able to get SSL Server mode working.
I ultimately want to get SSL Mutual Mode working. I think I'll try and upgrade to 7.1 using a valid license key before moving on to this piece.
Thanks for your help.
Hi,
I am also facing same issue. I tried to distribute SSL and its updated in all nodes. After that I could not start the database and I am getting the same error
Init Session:0x7ff60000fc80 <LOG> @v_vmart_node0002: 08V01/2805: Could not accept SSL connection: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
I manually edit vertica.conf and set "EnableSSL =0" and tried to start database from admin tools but still I could not make it up and running. After restarting database I checked the vertica.conf and still the value is "EnableSSL = 1". Strange issue. Please help.
Thanks,
MG
Hi,
Just have a quick question. When i am using SSL Server Mode, for JDBC as well as ODBC connection do i need to setup the trsutstore for jdbc and datasouce for ODBC.
Do i need to pass as "SSL=true" for acquring JDBC or ODBC client connection?
or just server.crt and server.key file is enoug at the server and and there is no change needed at the client end.