Deployment options:
Netezza Performance Server for Cloud Pak for Data System
If you are on
Netezza Performance Server 11.2.1.5, 11.2.2.0 or later, and
use ECDHE-ECDSA
, you must create and enable the following items.
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
Before you begin
- From the Netezza Performance Server host, verify whether
enable_tls_v12 is
on
.nzsql -u admin -pw password -c "show enable_tls_v12;"show enable_tls_v12;
Example:nzsql -u admin -pw password -c "show enable_tls_v12;"show enable_tls_v12;
NOTICE: ENABLE_TLS_V12 is on
SHOW VARIABLE
- Ensure that the
ECDHE-ECDSA
certificates are enabled in the
postgresql.conf
file. For more information, see Enabling and disabling ciphers.
Procedure
- As the
nz
user, view all of the EC
parameters names
that are implemented. openssl ecparam -list_curves
Example:
openssl ecparam -list_curves
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
Basing on the output, you must
create certificates with prime256v1
.
- As the
nz
user, create prime256v1
and private key
(server-key.pem
).
openssl ecparam -out server-key.pem -name prime256v1 -genkey
- Create
server-cert.pem
.
openssl req -new -key server-key.pem -x509 -nodes -days 365 -out server-cert.pem
- Change directories to /nz/kit/share/security.
cd /nz/kit/share/security
- Copy the items that you created in steps 2 and 3 to
/nz/kit/share/security and back up your existing certificate files.
-
mv server-cert-sp800-131a.pem.sample server-cert-sp800-131a.pem.sample.BKP
-
mv server-key-sp800-131a.pem.sample server-key-sp800-131a.pem.sample.BKP
-
mv <new_cert_name> server-cert-sp800-131a.pem.sample
-
mv <new_key_name> server-key-sp800-131a.pem.sample
Note:
- If you downloaded and enabled the
ECDHE_ECDSA
certificate with these steps but
the ECDHE_ECDSA
ciphers are disabled in the postgresql.conf
file,
the certificate does not work. Ensure that you enable the
ciphers or download the RSA
certificate.The following
ciphers work with the default RSA certificate:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-GCM-SHA256
- If you disabled
ECDHE-ECDSA-AES256-GCM-SHA384
or
ECDHE-ECDSA-AES128-GCM-SHA256
, you must revert the certificates that you created.
If you do not revert the certificates, the ciphers cannot be disabled.
- Restart the system.
- Verify that the changes were applied.
- Run the nzsql
command.
nzsql -u admin -pw password -securityLevel onlySecured
Example: $ nzsql -u admin -pw password -securityLevel onlySecured
Welcome to nzsql, the IBM Netezza SQL interactive terminal.
Type: \h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
SSL enabled connection. Cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, protocol: TLSv1.2
- Look for the following entries in
postgres/pg.log
.DEBUG: readHandshakeClientPacket ssl request=3
DEBUG: Attempting SSL_accept()
DEBUG: secure connection: protocol = TLSv1.2
DEBUG: SSL_accept succeeded with cipher = ECDHE-RSA-AES256-GCM-SHA384