SSL support for clients

The IBM® Netezza® system supports secure sockets layer (SSL) encryption and authentication for connections to the Netezza system.

When you run the nzsql command from a client system, you can use the following two options to specify the security options for the connection. These options do not apply when you are logged in to the Netezza system to run the command.
  • -securityLevel specifies the security level that you want to use for the session. The argument has four values:
    preferredUnSecured
    This argument is the default value. Specify this option when you would prefer an unsecured connection, but you accept a secured connection if the Netezza system requires one.
    preferredSecured
    Specify this option when you want a secured connection to the Netezza system, but you accept an unsecured connection if the Netezza system is configured to use only unsecured connections.
    onlyUnSecured
    Specify this option when you want an unsecured connection to the Netezza system. If the Netezza system requires a secured connection, the connection is rejected.
    onlySecured
    Specify this option when you want a secured connection to the Netezza system. If the Netezza system accepts only unsecured connections, or if you are attempting to connect to a Netezza system that is running a release before release 4.5, the connection is rejected.
    Table 1 describes some practices for selecting the -securityLevel setting based on the Netezza system release and SSL configuration.
  • -caCertFile specifies the path name of the root certificate authority (CA) file. The CA file must be obtained from the Netezza system administrator and installed on the client system. The CA file authenticates the server (the Netezza host) to the client. The default value is NULL, which indicates that no peer authentication occurs.
When you run the nzsql command, you can specify these arguments on the command line or you can specify the information in environment variables before you begin your nzsql session. The environment variables follow:
  • export NZ_SECURITY_LEVEL=level
  • export NZ_CA_CERT_FILE=pathname

These SSL security arguments are also used with the nzsql \c switch when a user attempts to connect to a different Netezza database. If you do not specify values for these fields, the Netezza system uses the values that are specified for the existing connection.

The following table describes some practices for the -securityLevel setting when a release 4.5 client connects to Netezza systems that are running 4.5 or later. Release 4.5 clients can also connect to Netezza hosts that run releases before 4.5, but those Netezza hosts do not have SSL support.
Table 1. Security settings and Netezza host configurations
Netezza host release Netezza security configuration Connections allowed -securitylevel settings
Release 4.5 and later host Secured and Unsecured All 4 settings accepted (onlyUnSecured, preferredUnSecured, onlySecured, preferredSecured)
hostssl Secured only onlySecured, preferredSecured;

preferredUnSecured is accepted but result in a secured connection.
hostnossl Unsecured Only onlyUnSecured, preferredUnSecured;

preferredSecured is accepted but result in an unsecured connection.
Releases before 4.5 N/A Unsecured Only onlyUnSecured, preferredUnSecured;

preferredSecured is accepted but result in an unsecured connection.

For details about SSL communication from the Netezza clients to the Netezza system, see the IBM Netezza ODBC, JDBC, OLE DB, and .NET Installation and Configuration Guide. For a description of how to configure the Netezza host for SSL support, see the IBM Netezza System Administrator’s Guide.