SSL support for clients

The Netezza Performance Server for Cloud Pak for Data and Netezza Performance Server for Cloud Pak for Data System system supports secure sockets layer (SSL) encryption and authentication for connections to the Netezza Performance Server system.

When you run the nzsql command from a client system, you can use the following two options to specify the security options for the connection. These options do not apply when you are logged in to the Netezza Performance Server system to run the command.
  • -securityLevel specifies the security level that you want to use for the session. The argument has four values:
    preferredUnSecured
    This argument is the default value. Specify this option when you would prefer an unsecured connection, but you accept a secured connection if the Netezza Performance Server system requires one.
    preferredSecured
    Specify this option when you want a secured connection to the Netezza Performance Server system, but you accept an unsecured connection if the Netezza Performance Server system is configured to use only unsecured connections.
    onlyUnSecured
    Specify this option when you want an unsecured connection to the Netezza Performance Server system. If the Netezza Performance Server system requires a secured connection, the connection is rejected.
    onlySecured
    Specify this option when you want a secured connection to the Netezza Performance Server system. If the Netezza Performance Server system accepts only unsecured connections, or if you are attempting to connect to a Netezza Performance Server system that is running a release before release 4.5, the connection is rejected.
    Table 1 describes some practices for selecting the -securityLevel setting based on the Netezza Performance Server system release and SSL configuration.
  • -caCertFile specifies the path name of the root certificate authority (CA) file. The CA file must be obtained from the Netezza Performance Server system administrator and installed on the client system. The CA file authenticates the server (the Netezza Performance Server host) to the client. The default value is NULL, which indicates that no peer authentication occurs.
When you run the nzsql command, you can specify these arguments on the command line or you can specify the information in environment variables before you begin your nzsql session. The environment variables follow:
  • export NZ_SECURITY_LEVEL=level
  • export NZ_CA_CERT_FILE=pathname

These SSL security arguments are also used with the nzsql \c switch when a user attempts to connect to a different Netezza Performance Server database. If you do not specify values for these fields, the Netezza Performance Server system uses the values that are specified for the existing connection.

The following table describes some practices for the -securityLevel setting when a release 4.5 client connects to Netezza Performance Server systems that are running 4.5 or later. Release 4.5 clients can also connect to Netezza Performance Server hosts that run releases before 4.5, but those Netezza Performance Server hosts do not have SSL support.
Table 1. Security settings and Netezza Performance Server host configurations
Netezza Performance Server host release Netezza Performance Server security configuration Connections allowed -securitylevel settings
Release 4.5 and later host Secured and Unsecured All 4 settings accepted (onlyUnSecured, preferredUnSecured, onlySecured, preferredSecured)
hostssl Secured only onlySecured, preferredSecured;

preferredUnSecured is accepted but result in a secured connection.

hostnossl Unsecured Only onlyUnSecured, preferredUnSecured;

preferredSecured is accepted but result in an unsecured connection.

Releases before 4.5 N/A Unsecured Only onlyUnSecured, preferredUnSecured;

preferredSecured is accepted but result in an unsecured connection.

For details about SSL communication from the Netezza Performance Server clients to the Netezza Performance Server system, see the IBM® Netezza® ODBC, JDBC, OLE DB, and .NET Installation and Configuration Guide. For a description of how to configure the Netezza Performance Server host for SSL support, see the IBM Netezza System Administrator’s Guide.