• Data Warehouse Service

dws
  1. Help Center
  2. Data Warehouse Service
  3. User Guide
  4. Connecting to a Cluster
  5. Configuring SSL Connection

Configuring SSL Connection

DWS supports connections in SSL authentication mode so that data transmitted between the DWS client and the database can be encrypted. The SSL connection mode delivers higher security than the common mode. By default, the SSL function is enabled in a cluster to allow SSL or non-SSL connections from the client. To ensure security, you are advised to enable SSL connection. If you want to use SSL connection forcibly, enable Require SSL Connection for the cluster.

On the Security Settings page of the cluster, you can enable or disable Require SSL Connection.

NOTE:
  • After you have changed the security setting parameters and the changes take effect, the cluster may be restarted, which makes the cluster unavailable temporarily.
  • To modify the cluster's security configuration, ensure that the following conditions are met:
    • The Cluster Status is Available or Low performance.
    • The Task Information cannot be Creating snapshot, Scaling out, Configuring, or Restarting.

The following parts are included in this section:

Configuring SSL Connection

  1. Log in to the management console at https://console.otc.t-systems.com/dws/.
  2. In the navigation tree on the left, click Cluster Management.
  3. In the cluster list, click the name of a cluster. On the page that is displayed, click Security Settings.

    By default, Configuration Status is Synchronized, which indicates that the latest database result is displayed.

  4. In the SSL Connection area, click Require SSL Connection switch to enable the function (recommended).

    : indicates that the server forcibly requires SSL connection.

    : indicates that the server does not forcibly require SSL connection. This function is disabled by default.

    Figure 1 SSL connection
    NOTE:
    • If the gsql client or ODBC driver provided by DWS is used, DWS supports the TLSv1.2 SSL protocol.
    • If the JDBC driver provided by DWS is used, DWS supports SSL protocols, such as SSLv3, TLSv1, TLSv1.1, and TLSv1.2. The SSL protocol used between the client and the database depends on the Java Development Kit (JDK) version used by the client. Generally, JDK supports multiple SSL protocols.

  5. Click Apply.
  6. In the displayed Save Configuration dialog box, select or deselect Restart the cluster and click OK.

    • If you select Restart the cluster, the system saves the settings on the Security Settings page and restarts the cluster immediately. After the cluster is restarted, the security settings take effect immediately.
    • If you do not select Restart the cluster, the system only saves the settings on the Security Settings page. Later, you need to manually restart the cluster for the security settings to take effect.

    After the security settings are complete, Configuration Status can be one of the following on the Security Settings page:

    • Applying: The system is saving the settings.
    • Synchronized: The settings have been saved and taken effect.
    • Take effect after restart: The settings have been saved but have not taken effect. Restart the cluster for the settings to take effect.

Combinations of SSL Connection Parameters on the Client and Server

Whether the client uses the SSL encryption connection mode and whether to verify the server certificate depend on client parameter sslmode and server (cluster) parameters ssl and require_ssl. The parameters are described as follows:

  • ssl (Server)
    The ssl parameter indicates whether to enable the SSL function. on indicates that the function is enabled, and off indicates that the function is disabled.
    • The default value is on for clusters whose version is later than 1.3.1 (including 1.3.1), and you cannot set this parameter on the DWS management console.
    • For clusters whose version is earlier than 1.3.1, the default value is on (enabled). You can set this parameter in the SSL Connection area on the cluster's Security Settings page of the DWS management console.
  • require_ssl (Server)
    The require_ssl parameter specifies whether the server forcibly requires SSL connection. This parameter is valid only when ssl is set to on. on: The server forcibly requires SSL connection. off: The server does not require SSL connection.
    • The default value is off (disabled) for clusters whose version is later than 1.3.1 (including 1.3.1. You can set the require_ssl parameter in the Require SSL Connection area of the cluster's Security Settings page on the DWS management console.
    • For clusters whose version is earlier than 1.3.1, the default value is off, and you cannot set this parameter on the DWS management console.
  • sslmode (Client)
    You can set this parameter in the SQL client tool.
    • In the gsql command line client, this parameter is the PGSSLMODE parameter.
    • On the Data Studio client, this parameter is the SSL Mode parameter.

The combinations of client parameter sslmode and server parameters ssl and require_ssl are as follows:

Table 1 Combinations of SSL connection parameters on the client and server

ssl (Server)

sslmode (Client)

require_ssl (Server)

Result

on

disable

on

The server requires SSL, but the client disables SSL for the connection. As a result, the connection cannot be set up.

disable

off

The connection is not encrypted.

allow

on

The connection is encrypted.

allow

off

The connection is not encrypted.

prefer

on

The connection is encrypted.

prefer

off

The connection is encrypted.

require

on

The connection is encrypted.

require

off

The connection is encrypted.

verify-ca

on

The connection is encrypted and the server certificate is verified.

verify-ca

off

The connection is encrypted and the server certificate is verified.

off

disable

on

The connection is not encrypted.

disable

off

The connection is not encrypted.

allow

on

The connection is not encrypted.

allow

off

The connection is not encrypted.

prefer

on

The connection is not encrypted.

prefer

off

The connection is not encrypted.

require

on

The client requires SSL, but SSL is disabled on the server. Therefore, the connection cannot be set up.

require

off

The client requires SSL, but SSL is disabled on the server. Therefore, the connection cannot be set up.

verify-ca

on

The client requires SSL, but SSL is disabled on the server. Therefore, the connection cannot be set up.

verify-ca

off

The client requires SSL, but SSL is disabled on the server. Therefore, the connection cannot be set up.