IBM Support

Create and enable SSL certificate for secure database connection on a IBM PureData Systems for Analytics

Technote (FAQ)


Question

How to create and enable SSL certificate for secure database connection (nzsql, ODBC & JDBC) on a IBM PureData Systems for Analytics?

Answer

How to create and enable SSL certificate and enable SSL for secure connection (nzsql, ODBC & JDBC connections on a IBM PureData Systems for Analytics.
SSL/TLS protects the transport of information between a client (in this case, your web server) and a server (in this case, your database server) from tampering and eavesdropping by anyone on the network in between (including able to get on those two machines). To assess whether SSL is useful, you need to assume that the attacker is in a position to perform the attack SSL is designed to protect you against. That is, the attacker would need to be in a position to sniff packets on the network or on either machines.

Procedure:
1. Create CA authority : Steps for TLS1.2 Protocol (Creating SHA256 Keys)
openssl genrsa -out CAKey.pem 2048
openssl req -new -x509 -days 365 -key CAKey.pem -sha512 -out cacert.pem


2. Create Server Certificate : Execute below commands and follow the runtime instruction,
openssl genrsa -aes256 -out svr-key.pem 2048
openssl rsa -in svr-key.pem -out server-key.pem //password less server key
openssl req -new -key server-key.pem -out server.csr
openssl x509 -req -days 365 -in server.csr -CA cacert.pem -CAkey CAKey.pem -set_serial 00001 -sha512 -out server-cert.pem

3. Verification Steps:
openssl x509 -in cacert.pem -text -noout
openssl x509 -in server-cert.pem -text -noout


4. After creating certificate successfully, please copy server-cert.pem and server-key.pem files to /nz/kit/share/security location and follow below steps,
cd /nz/kit/share/security

1. Take a Backup
mv server-cert-sp800-131a.pem.sample server-cert-sp800-131a.pem.sample.BKP
mv server-key-sp800-131a.pem.sample server-key-sp800-131a.pem.sample.BKP
mv server-cert.pem server-cert-sp800-131a.pem.sample
mv server-key.pem server-key-sp800-131a.pem.sample


5. Restart Database:
nzstop
nzstart

6. Verification Steps:
1. cd /nz/data/security
openssl x509 -in server-cert.pem -text -noout


2. nzsql : After running nzsql, if you will see "SSL enabled connection. Cipher:AES256-SHA, bits: 256" that means we are using correct SSL
communication.

[nz@netezza01 ?]$ nzsql
Welcome to nzsql, the IBM Netezza SQL interactive terminal.
Type: \h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
SSL enabled connection. Cipher: AES256-SHA, bits: 256


3. Please check pg.log and check for following entry that means we are using correct SSL communication.

DEBUG: Attempting SSL_accept()
DEBUG: SSL_accept succeeded


4. In Windows set up the connection with "SSL Mode" = "Require" option.

Document information

More support for: PureData System for Analytics
IBM Netezza Analytics

Software version: 1.0.0

Operating system(s): Platform Independent

Reference #: New

Modified date: 29 November 2016