8.4 Configuring SSL for Vertica

You must configure mutual SSL in Vertica to secure the communication with Vertica.

To configure SSL in Vertica manually, perform the following:

For more information about configuring SSL in Vertica, see SSL Authentication section in Vertica Documentation.

8.4.1 Obtaining Vertica Client Certificates

You must obtain the certificates from search engine (Vertica client) and use them for enabling SSL between Vertica and scheduler as well as Vertica and search engine.

  1. To obtain the search engine pod, run the following command on the master node:

    kubectl get pods --all-namespaces | grep hercules-search-engine

    Example output:

    arcsight-installer-9tmsc hercules-search-engine-c97657f9999xpx 2/2 Running 0 17m

    NOTE:The search engine pod is reflected as hercules-search-engine-c97657f9999xpx in the example above.

  2. To obtain the search engine certificates, run the following command on the master node:

    kubectl cp <namespace>/<pod>:/vault-crt/RE <path to copy> -c <container>


    kubectl cp arcsight-installer-9tmsc/hercules-search-engine-c97657f99-99xpx:/vault-crt/RE /root -c hercules-search-engine

    NOTE:Three files will be generated: issue_ca.crt, vertica.crt, and vertica.key.

  3. Copy issue_ca.crt, vertica.crt, and vertica.key to <vertica-cluster-node-1>/root.

8.4.2 Generating Vertica Server Certificate

  1. Log in to Vertica cluster node 1 as a root.

  2. Get the CA certificate for Vertica:

    • If you have a well-known root CA, organization’s root CA, or generated a new CDF root CA, you can use the same CA.

    • If you do not have a CA, generate a new CA by executing the instructions in the Generating a New CA section.

  3. To generate a Vertica server certificate, run the following command and specify the necessary information that will be incorporated into your certificate request:

    openssl req -newkey rsa:2048 -new -nodes -keyout server.key -out server.csr

  4. After entering the requested information, run the following command:

    openssl x509 -req -in server.csr -days 3650 -sha1 -CAcreateserial -CA ca.crt -CAkey ca.key -out server.crt

  5. Verify the generated certificate:

    • openssl x509 -noout -purpose -in server.crt | grep "SSL server"

      Example output:

      SSL server : Yes

      SSL server CA : No

      Netscape SSL server : Yes

      Netscape SSL server CA : No

    • openssl x509 -noout -purpose -in ca.crt | grep "SSL server CA : Yes"

      Example output:

      SSL server CA : Yes (WARNING code=3)

      Netscape SSL server CA : Yes (WARNING code=3)

    • openssl verify -CAfile ca.crt server.crt

      Example output:

      server.crt: OK

  6. Copy server.key and server.crt to <vertica-installer-directory>/arcsight-vertica:

    cp server.key server.crt /opt/arcsight-vertica

8.4.3 Enabling SSL in Vertica

  1. Log in to Vertica cluster node 1 as root.

  2. Change to the root directory.

    cd /root

  3. Copy the files obtained from search engine and the Vertica server certificate to /tmp folder:

    cp vertica.crt vertica.key ca.crt issue_ca.crt /tmp

  4. Change to the directory where Vertica is installed:

    cd /opt/arcsight-vertica

  5. Enable SSL using the command:

    ./vertica_ssl_setup --enable-ssl --vertica-cert-path /opt/arcsight-vertica/server.crt --vertica-key-path /opt/arcsight-vertica/server.key --client-ca-path /tmp/issue_ca.crt

  6. Switch to dbadmin user:

  7. (Conditional) If the ~/.vsql folder exists already, you must delete the contents of the folder.

    rm -rf ~/.vsql/*

  8. (Conditional) If the ~/.vsql folder does not exist, create the folder:

    mkdir ~/.vsql

  9. Copy the following certificates to ~/.vsql folder:

    cp /tmp/vertica.crt ~/.vsql/client.crt

    cp /tmp/vertica.key ~/.vsql/client.key

    cp /tmp/ca.crt ~/.vsql/ca_root.crt

    chmod 600 ~/.vsql/client.key

  10. Verify the SSL configuration:

    • Verify whether the SSL cipher is displayed:

      vsql -m require

      Example output:

      SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, protocol: TLSv1.2)

    • Verify whether ssl_state is Mutual:

      dbadmin=> select user, authentication_method, ssl_state from sessions where session_id = current_session();

      Example output:

      current_user | authentication_method | ssl_state
      dbadmin       | Password                | Mutual
      (1 row)

8.4.4 Establishing an SSL Communication with Identity Intelligence

For the SSL communication between Vertica and Identity Intelligence, you need to upload the Vertica CA certificate in the Analytics component. Identity Intelligence will use the Vertica CA certificate uploaded in the Analytics component.

To add Vertica certificate:

  1. Log in to the CDF management portal as an administrator.

  2. Click Deployment > Deployments.

  3. Click of arcsight-installer, then click Reconfigure.

  4. Click Analytics.

  5. Perform the following in the Vertica Configuration section:

    1. Enable Vertica connections will use SSL.

    2. Copy the content of Vertica Root CA certificate (ca.crt) and paste in Vertica certificate(s).

      Ensure that there are no additional entries, such as space or line breaks at the end of the certificate content.

  6. Click Save.

  7. Continue with Creating a Kafka Scheduler with SSL.

8.4.5 Creating a Kafka Scheduler with SSL

Applies only if you installed Identity Intelligence either in a new cluster or in an existing cluster that has Transformation Hub without Investigate. Does not apply if you used the ./install-single-node-post.sh installation script, which automatically performs this configuration.

You must create a Kafka scheduler for Vertica to receive data from Transformation Hub.

To create a kafka scheduler, perform the following:

  1. Log in to the Vertica cluster node 1 as root.

  2. Change to the directory where Vertica is installed:

    cd /opt/arcsight-vertica

  3. Set up Kafka scheduler:

    ./sched_ssl_setup --enable-ssl --sched-cert-path /tmp/vertica.crt --sched-key-path /tmp/vertica.key --vertica-ca-path /tmp/ca.crt --kafka-ca-path /tmp/issue_ca.crt

  4. Create the SSL Kafka scheduler:

    ./kafka_scheduler create <Transformation_Hub_Node_1_IP>:9093,<Transformation_Hub_Node_ 2_IP>:9093 <Transformation_Hub_Node_3_IP>:9093

  5. Verify Kafka scheduler creation and validate whether the port number is the Kafka SSL port number (default 9093):

    ./kafka_scheduler status

    Example output:

    SSL/TLS mode is enabled
    Scheduler Kafka Configuration:
         kafka cluster     |   topic    | partitions | enabled
     vlab052002.dom052000.lab:9093 | th-arcsight-avro |     1 | t
    (1 row)
    Active Scheduler Process:
              scheduler name
    (1 row)
  6. Check the event-copy progress and messages:

    ./kafka_scheduler events

    ./kafka_scheduler messages