Configuring the SSL certificate

About this task

By default, the system and clients do not use peer authentication to verify each other's identity. If you want to authenticate connection peers, you must create or obtain from a CA vendor the server certificate and keys file and the CA root certificate for the client users. The Netezza Performance Server system has a default set of server certificates and keys files (server-cert.pem and server-keys.pem) in the /nz/data/security directory. Netezza Performance Server supports files that use the .pem format.

If you use your own CA certificate files, make sure that you save the server CA files in a location under the /nz directory. If you have an HA Netezza Performance Server system, save the certificates on the shared drive under /nz so that either host can access the files by using the same path name. You must also edit the /nz/data/postgresql.conf file to specify your server certificate files.

To edit the postgresql.conf file to add your own CA server certificate and keys files, complete the following steps:

Procedure

  1. Log in to the Netezza Performance Server system as the nz user account.
  2. With any text editor, open the /nz/data/postgresql.conf file.
    Important: Use caution when you edit postgresql.conf. It contains important configuration parameters for the Netezza Performance Server system operation.
  3. Locate the following section in the file:
    #
    #       Connection Parameters
    #
    #tcpip_socket = false
    ssl = true
    
    # Uncomment the lines below and mention appropriate path for the
    # server certificate and key files. By default the files present
    # in the data directory will be used.
    
    #server_cert_file='/nz/data/security/server-cert.pem'
    #server_key_file='/nz/data/security/server-key.pem'
    
  4. Delete the number sign (#) character at the beginning of the server_cert_file and server_key_file parameters and specify the path name of your CA server certificate and keys files where they are saved on the Netezza Performance Server host.

    Client users must install a copy of the CA root certificate file on their client systems. The client users specify the location of the CA root certificate when they run commands such as nzsql, nzhw, and others.

    Important: Make sure that the keys file is not password protected; by default, it is not.
  5. Save and close the postgresql.conf file.

Results

Any changes that you make to the postgresql.conf file take effect the next time that the Netezza Performance Server system is stopped and restarted.