forked from docs/doc-exports
luhuayi
a5e3903f6b
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com> Co-authored-by: luhuayi <luhuayi@huawei.com> Co-committed-by: luhuayi <luhuayi@huawei.com>
66 lines
13 KiB
HTML
66 lines
13 KiB
HTML
<a name="EN-US_TOPIC_0000001860198653"></a><a name="EN-US_TOPIC_0000001860198653"></a>
|
|
|
|
<h1 class="topictitle1">Configuring SSL Connection</h1>
|
|
<div id="body8662426"><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001584150033_en-us_topic_0000001510164849_en-us_topic_0185264675_p1174011206154">Data Studio can connect to the database using the Secure Sockets Layer [SSL] option. To use the SSL connection mode, you must configure related parameters on the client or in the application code. The GaussDB(DWS) management console provides the SSL certificate required by the client. The SSL certificate contains the default certificate, private key, root certificate, and private key password encryption file required by the client.</p>
|
|
<div class="section" id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_section9914102616204"><h4 class="sectiontitle">Server Configuration</h4><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_p695305681112">After a cluster is deployed, GaussDB(DWS) enables the SSL authentication mode by default. The server certificate, private key, and root certificate have been configured.</p>
|
|
</div>
|
|
<div class="section" id="EN-US_TOPIC_0000001860198653__section14841501497"><h4 class="sectiontitle">SSL Certificate and Client Configuration</h4><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_p1366818145418">You need to configure the client.</p>
|
|
<ol id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_ol1827634419214"><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_li129241946103115"><span>You can download an SSL certificate from GaussDB(DWS).</span><p><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_p1063804811313">Log in to the GaussDB(DWS) management console. In the navigation pane, choose <span class="uicontrol" id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001533190636_en-us_topic_0000001523826708_en-us_topic_0000001514019285_uicontrol85392169713"><b>Connections</b></span>. In the <span class="parmname" id="EN-US_TOPIC_0000001860198653__parmname028771917294"><b>Driver</b></span> area, click <span class="uicontrol" id="EN-US_TOPIC_0000001860198653__uicontrol12288141913297"><b>download an SSL certificate</b></span>.</p>
|
|
</p></li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_li1180291411225"><span>Decompress the downloaded <strong id="EN-US_TOPIC_0000001860198653__b0162028132915">dws_ssl_cert.zip</strong> package to obtain the certificate file. Click the <strong id="EN-US_TOPIC_0000001860198653__b17391634182911">SSL</strong> tab on the Data Studio client and set the following parameters:</span><p>
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_tc6a4177683ae43a5a21e02a558b115d1" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Configuring SSL parameters</caption><thead align="left"><tr id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_re85a10ea61f04c57a14374ca5c7d6050"><th align="left" class="cellrowborder" valign="top" width="19.38%" id="mcps1.3.3.3.2.2.1.2.3.1.1"><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_a033d348bbfd54eb4bbc8cfdcbe364f7c">Parameter</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="80.62%" id="mcps1.3.3.3.2.2.1.2.3.1.2"><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0107187019_p19137554319">Description</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_ra35932b78ca140b7a5439c9f7e3107ad"><td class="cellrowborder" valign="top" width="19.38%" headers="mcps1.3.3.3.2.2.1.2.3.1.1 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_a9ad6035d6045458ebf34506c32399247">Client SSL Certificate</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.62%" headers="mcps1.3.3.3.2.2.1.2.3.1.2 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_a8107c62bfd1d4ecfacf90307da3294d9">Select the <span class="filepath" id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_fea612bd9aaa44bd29b4bbc294e86e824"><b>sslcert\client.crt</b></span> file in the decompressed SSL certificate directory.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_r4a637f73e2164fa1bb65347c59e962cf"><td class="cellrowborder" valign="top" width="19.38%" headers="mcps1.3.3.3.2.2.1.2.3.1.1 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0107187019_p121516558317">Client SSL Key</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.62%" headers="mcps1.3.3.3.2.2.1.2.3.1.2 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_a5a76dbcc4fa74168be4ddd10f99571c7">Only the PK8 format is supported. Select the <span class="filepath" id="EN-US_TOPIC_0000001860198653__filepath324716443019"><b>sslcert\client.key.pk8</b></span> file in the directory where the SSL certificate is decompressed.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_re654cf33e6fd4162a322d30a10112453"><td class="cellrowborder" valign="top" width="19.38%" headers="mcps1.3.3.3.2.2.1.2.3.1.1 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0107187019_p91575583118">Root Certificate</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.62%" headers="mcps1.3.3.3.2.2.1.2.3.1.2 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_ace66c1ada5ef40aba396d828d1cb5546">When <span class="parmname" id="EN-US_TOPIC_0000001860198653__parmname98748209304"><b>SSL Mode</b></span> is set to <span class="parmvalue" id="EN-US_TOPIC_0000001860198653__parmvalue587472010302"><b>verify-ca</b></span> or <span class="parmvalue" id="EN-US_TOPIC_0000001860198653__parmvalue1187472023018"><b>verify-full</b></span>, the root certificate must be configured. Select the <span class="filepath" id="EN-US_TOPIC_0000001860198653__filepath118741120173019"><b>sslcert\cacert.pem</b></span> file in the decompressed SSL certificate directory.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_rc13e8815e6954b508b90480dd8dfc491"><td class="cellrowborder" valign="top" width="19.38%" headers="mcps1.3.3.3.2.2.1.2.3.1.1 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0107187019_p516125517315">SSL Password</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.62%" headers="mcps1.3.3.3.2.2.1.2.3.1.2 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0107187019_p21655516313">Set the password for the client SSL key in PK8 format.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_r422d1cb572a34d88ae84caa91c68f153"><td class="cellrowborder" valign="top" width="19.38%" headers="mcps1.3.3.3.2.2.1.2.3.1.1 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0107187019_p616115515312">SSL Mode</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="80.62%" headers="mcps1.3.3.3.2.2.1.2.3.1.2 "><p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_aae9d413250a648b4b7f97d2aca66b196">GaussDB(DWS) supports the following SSL modes:</p>
|
|
<ul id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_uef8cf175c60947de9f9cccfa40627114"><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_led5000cbf972424193937b27da18335c"><strong id="EN-US_TOPIC_0000001860198653__b471010427309">require</strong>: The SSL factory does not require verification, nor does it check the certificate validity.</li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_lc88d3ca75992452cb37cfad2d3706233"><strong id="EN-US_TOPIC_0000001860198653__b105111112312">verify-ca</strong>: The certificate authority (CA) will be verified using the corresponding SSL factory.</li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_li364454519273"><strong id="EN-US_TOPIC_0000001860198653__b44127218981222">verify-full</strong>: The CA and database will be verified using the corresponding SSL factory.</li></ul>
|
|
<p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_a294fdd7a18c04b48a350671d148ab611">GaussDB(DWS) does not support the <strong id="EN-US_TOPIC_0000001860198653__b158394606081222">verify-full</strong> mode.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<div class="note" id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_note156817411317"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_ul1268111443113"><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_li66804413113">You can select a valid <strong id="EN-US_TOPIC_0000001860198653__b910920103216">Client SSL Certificate</strong> and <strong id="EN-US_TOPIC_0000001860198653__b15112303320">Client SSL Key</strong> to export DDL and data from Data Studio using secure connections.</li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_li36816453115">If the selected <strong id="EN-US_TOPIC_0000001860198653__b171511542326">Client SSL Certificate</strong> and <strong id="EN-US_TOPIC_0000001860198653__b1015185463213">Client SSL Key</strong> are invalid, the export will fail. For details, see <a href="DWS_DS_039.html">Troubleshooting</a>.</li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_li812317223710">If you deselect <strong id="EN-US_TOPIC_0000001860198653__b177891173333">Enable SSL</strong> and proceed, the <strong id="EN-US_TOPIC_0000001860198653__b16789161733311">Connection Security Alert</strong> dialog box is displayed. Refer to <a href="DWS_DS_005.html#EN-US_TOPIC_0000001813438860__table1510418570339">Table 1</a> to determine whether to display this dialog box.<ul id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_ul201301215378"><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_li51321828375"><strong id="EN-US_TOPIC_0000001860198653__b4252174419337">Continue</strong>: Continues to use insecure connections.</li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_li3136152133711"><strong id="EN-US_TOPIC_0000001860198653__b12440583181222">Cancel</strong>: Enables SSL.</li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_li1514015293713"><strong id="EN-US_TOPIC_0000001860198653__b132781854203314">Do not show again</strong>: If you select this option, the <strong id="EN-US_TOPIC_0000001860198653__b127885410339">Connection Security Alert</strong> dialog box is not displayed for the subsequent connections of logged Data Studio instances.</li></ul>
|
|
</li><li id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_en-us_topic_0185264624_li1743992617411">Data Studio prompts you to enter the client key upon the first access to the <strong id="EN-US_TOPIC_0000001860198653__b1016104572413">gs_dump</strong> feature.</li></ul>
|
|
</div></div>
|
|
<div class="fignone" id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_fig7683711879"><span class="figcap"><b>Figure 1 </b>SSL parameters</span><br><span><img id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_i232821e5252d4ed9b71faf166456bbba" src="figure/en-us_image_0000001860199137.png" width="465.5" height="232.044967" title="Click to enlarge" class="imgResize"></span></div>
|
|
<p id="EN-US_TOPIC_0000001860198653__en-us_topic_0000001510164849_en-us_topic_0000001290232596_p3338151808"></p>
|
|
</p></li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_ds_index.html">Data Studio</a></div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<script language="JavaScript">
|
|
<!--
|
|
image_size('.imgResize');
|
|
var msg_imageMax = "view original image";
|
|
var msg_imageClose = "close";
|
|
//--></script> |