Creating and enabling certificates

Deployment options: Netezza Performance Server for Cloud Pak for Data System

Learn how to create and enable certificates if you are on Netezza Performance Server 11.2.1.5, 11.2.2.0 and later, and using ECDHE-ECDSA ciphers.

ECDHE-ECDSA ciphers:
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256

Before you begin

  1. Verify whether enable_tls_v12 is on.
    show enable_tls_v12;
    Example:
    show enable_tls_v12;
NOTICE:  ENABLE_TLS_V12 is on
SHOW VARIABLE
  2. Ensure that the ECDHE-ECDSA certificates are enabled in the postgresql.conf file.

    For more information, see Enabling and disabling ciphers.

Procedure

  1. Display all of the EC parameters names that are implemented. 
    openssl ecparam -list_curves
  2. Create EC parameters and a private key. 
    openssl ecparam -out server-key.pem -name prime256v1 -genkey
  3. Create a certificate. 
    openssl req -new -key server-key.pem -x509 -nodes -days 365 -out server-cert.pem
  4. Change directories to /nz/kit/share/security. 
    cd /nz/kit/share/security
  5. Copy the key and certificate to /nz/kit/share/security and run the following commands. 
    1. mv server-cert-sp800-131a.pem.sample server-cert-sp800-131a.pem.sample.BKP
    2. mv server-key-sp800-131a.pem.sample server-key-sp800-131a.pem.sample.BKP
    3. mv <new_cert_name> server-cert-sp800-131a.pem.sample
    4. mv <new_key_name> server-key-sp800-131a.pem.sample
    Note:
    1. If you downloaded and enabled the ECDHE_ECDSA certificate with these steps but the ECDHE_ECDSA ciphers are disabled in the postgresql.conf file, the certificate does not work. Ensure that you enable the ciphers or download the RSA certificate.
      The following ciphers work with the default RSA certificate:
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      • TLS_AES_256_GCM_SHA384
      • TLS_AES_128_GCM_SHA256
    2. If you disabled ECDHE-ECDSA-AES256-GCM-SHA384 or ECDHE-ECDSA-AES128-GCM-SHA256, you must revert the certificates that you created. If you do not revert the certificates, the ciphers cannot be disabled.
  6. Restart the system. 
    1. nzstop
    2. nzstart
  7. Verify that the changes were applied.
    1. Run the nzsql command.
      nzsql -u admin -pw password -securityLevel onlySecured
      Example: 
      $  nzsql -u admin -pw password -securityLevel onlySecured
Welcome to nzsql, the IBM Netezza SQL interactive terminal.

Type:  \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

SSL enabled connection. Cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, protocol: TLSv1.2
    2. Look for the following entries in postgres/pg.log.
      DEBUG: readHandshakeClientPacket ssl request=3
DEBUG:  Attempting SSL_accept()
DEBUG:  secure connection: protocol = TLSv1.2
DEBUG:  SSL_accept succeeded with cipher = ECDHE-RSA-AES256-GCM-SHA384