Creating and enabling certificates

Deployment options: Netezza Performance Server for Cloud Pak for Data System

If you are on Netezza Performance Server 11.2.1.5, 11.2.2.0 or later, and use ECDHE-ECDSA, you must create and enable the following items.

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256

Before you begin

  1. From the Netezza Performance Server host, verify whether enable_tls_v12 is on.
    nzsql -u admin -pw password -c "show enable_tls_v12;"show enable_tls_v12;
    Example:
    nzsql -u admin -pw password -c "show enable_tls_v12;"show enable_tls_v12;
    NOTICE:  ENABLE_TLS_V12 is on
    SHOW VARIABLE
  2. Ensure that the ECDHE-ECDSA certificates are enabled in the postgresql.conf file.

    For more information, see Enabling and disabling ciphers.

Procedure

  1. As the nz user, view all of the EC parameters names that are implemented.
    openssl ecparam -list_curves
    Example:
    openssl ecparam -list_curves
    
    secp256k1 : SECG curve over a 256 bit prime field
    
    secp384r1 : NIST/SECG curve over a 384 bit prime field
    
    secp521r1 : NIST/SECG curve over a 521 bit prime field
    
    prime256v1: X9.62/SECG curve over a 256 bit prime field

    Basing on the output, you must create certificates with prime256v1.

  2. As the nz user, create prime256v1 and private key (server-key.pem).
    openssl ecparam -out server-key.pem -name prime256v1 -genkey
  3. Create server-cert.pem.
    openssl req -new -key server-key.pem -x509 -nodes -days 365 -out server-cert.pem
  4. Change directories to /nz/kit/share/security.
    cd /nz/kit/share/security
  5. Copy the items that you created in steps 2 and 3 to /nz/kit/share/security and back up your existing certificate files.
    1. mv server-cert-sp800-131a.pem.sample server-cert-sp800-131a.pem.sample.BKP
    2. mv server-key-sp800-131a.pem.sample server-key-sp800-131a.pem.sample.BKP
    3. mv <new_cert_name> server-cert-sp800-131a.pem.sample
    4. mv <new_key_name> server-key-sp800-131a.pem.sample
    Note:
    1. If you downloaded and enabled the ECDHE_ECDSA certificate with these steps but the ECDHE_ECDSA ciphers are disabled in the postgresql.conf file, the certificate does not work. Ensure that you enable the ciphers or download the RSA certificate.
      The following ciphers work with the default RSA certificate:
      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES128-GCM-SHA256
      • AES256-GCM-SHA384
      • AES128-GCM-SHA256
    2. If you disabled ECDHE-ECDSA-AES256-GCM-SHA384 or ECDHE-ECDSA-AES128-GCM-SHA256, you must revert the certificates that you created. If you do not revert the certificates, the ciphers cannot be disabled.
  6. Restart the system.
    1. nzstop
    2. nzstart
  7. Verify that the changes were applied.
    1. Run the nzsql command.
      nzsql -u admin -pw password -securityLevel onlySecured
      Example:
      $  nzsql -u admin -pw password -securityLevel onlySecured
      Welcome to nzsql, the IBM Netezza SQL interactive terminal.
      
      Type:  \h for help with SQL commands
             \? for help on internal slash commands
             \g or terminate with semicolon to execute query
             \q to quit
      
      SSL enabled connection. Cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, protocol: TLSv1.2
      
    2. Look for the following entries in postgres/pg.log.
      DEBUG: readHandshakeClientPacket ssl request=3
      DEBUG:  Attempting SSL_accept()
      DEBUG:  secure connection: protocol = TLSv1.2
      DEBUG:  SSL_accept succeeded with cipher = ECDHE-RSA-AES256-GCM-SHA384