TLS Authentication Setup at Vertica CE 11.1+
I'm trying to set up TLS authentication on Vertica 11.1+ CE vsql client (Single node docker approach). Below are the steps that I'm following:
Inside container using vsql and dbadmin user
- Create root key using CREATE KEY
- Create self-signed certificate authority using CREATE CERTIFICATE statement
- Generate the server key (private key)
- Generate server certificate using server key (created at step 3) signed by the self-signed CA certificate (created at step 2) [using IP of the host machine]
- Export private key and certificate (crt and key file of the server and root)
- Provided necessary permissions (chown dbadmin:verticadba and chmod 600) to key and crt files exported at step 6 and ensured the key doesn't require password
- Altered TLS configuration (TLSMODE to verify-ca, certificate (server crt) and ca certificates (generated at step 2)
- Generate client user key and certificate using create key and create certificate commands using the key and signed by step 2 crt (giving common name as the db username for whom the TLS is being set up) and validated it using openssl commands
- Moved the user key and crt files to .vsql folder (inside docker container, only user is dbadmin hence, owner of everything) an gave necessary permissions chmod 644) and also copied them into host home folder
- Created user, TLS authentication at database and gave the grant to the user
With one user (user 1), this is working fine (inside/outside the container). Issue is when I'm following the steps 8-10 for another user (user 2), it says "Authentication Failed" from outside/inside the container when provided the same host IP (using -h). However, if I'm giving hostname as localhost from inside the container for user 2, it is working, but outside the container, its not working with -h option providing the host IP
It would be of great help if you can provide any insights regarding the authentication of user 2 or the correct step to authenticate (TLS) multiple users.
@satriani06 : The steps you are using are correct. What CA did you use to sign the user2's client certificate?