Upload TLS Certificate
Transport Layer Security (TLS) is a cryptographic protocol that uses digital certificate chains to enable secure communication between client and server. A certificate chain consists of multiple, related certificates that are linked together using digital signatures. Each certificate in the chain is digitally signed by the previous certificate in the chain. The certificate chain can contain any number of intermediate certificates between the root and end user certificates. The root certificate in the chain can be self-signed or issued by a trusted Certificate Authority (CA).
TLS certificates are used to encrypt communication between the local client and EXAoperation and between database clients and the database. If you have a self-signed or Certificate Authority (CA)-signed TLS certificate, you can upload it through EXAoperation or XML-RPC. You need to upload the complete certificate chain, not just the end-user certificate.
This section explains how to create and upload a TLS certificate chain in EXAoperation.
You need to upload the complete TLS certificate chain in EXAoperation.
You can only have one TLS certificate active at a time. Uploading a new certificate overwrites a previous TLS certificate. It is not possible to delete a certificate without replacing it.
If you are unsure about how to generate or use TLS certificates, contact your system administrator.
Prerequisites
- A self-signed or CA-signed TLS certificate using either RSA or ECC encryption algorithms:
- If you are using RSA with Exasol 6.2, the maximum key length is 2048 bits.
- If you are using a CA-signed certificate, correct host names are required in it.
-
Root and intermediate certificates that are part of the certificate chain
- Private key file for the server certificate
The private key must not be encrypted with a password.
Click here for an example on how to generate a self-signed TLS certificate and private key:
root@<server>:~# mkdir /opt/cert
root@<server>:~# cd /opt/cert/
root@<server>:/opt/cert# openssl req -new -newkey rsa:2048 -x509 -sha256 -days 365 -nodes -out Certificate.crt -keyout Key.key
Generating a 2048 bit RSA private key
-----
writing new private key to 'Key.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
root@hw2642:/opt/cert# ll
total 8
drwxr-xr-x 1 root root 4096 Aug 22 15:04 ./
drwxr-xr-x 1 root root 4096 Aug 22 15:04 ../
-rw-r--r-- 1 root root 1923 Aug 22 15:04 Certificate.crt
-rw------- 1 root root 3272 Aug 22 15:04 Key.key
Create Certificate Chain
A certificate chain is simply a text file containing all the certificates. However, the ordering of the certificates is important. Certificate chains begin with the server certificate and end with the highest-level CA certificate.
In the following example there are just two certificates, so the server certificate can simply be copied to the certificate chain file and the CA certificate can be appended afterwards.
Now, cert_chain.pem contains the full certificate chain (i.e. two certificates), so it can be uploaded to Exasol along with the server certificate's private key.
Upload Certificate Chain
In EXAoperation
- Log in to EXAoperation as an admin.
- Click the TLS Certificate tab under Configuration > Access Management.
- Upload the certificate chain file and the private key file.
- Click Upload Key button.
- Go to Services > EXAoperation and click the Restart button to restart EXAoperation. Restarting EXAoperation does not impact the database's availability.
After restarting, EXAoperation uses an encrypted TLS connection.
If you upload a TLS certificate, the database
Through XML-RPC
- Run the following commands to import the XML-RPC packages:
- Run the following command to create a connection with your Exasol cluster:
- Run the following command to upload a TLS certificate chain and private key. Replace the absolute paths and file names with your own.
- Restart EXAoperation. Restarting EXAoperation does not impact the database's availability.
import ssl
server = ServerProxy ('https://user:password@<IP_Address>/cluster1', context=ssl._create_unverified_context (), allow_none = True)
cert = open('/absolute/path/to/cert_chain.pem', 'r').read()
key = open('/absolute/path/to/key.pem', 'r').read()
server.uploadTlsFiles(cert,key)
After restarting, EXAoperation uses an encrypted TLS connection.
If you upload a TLS certificate, the database
Enable TLS Certificate
Support for TLS Certificates on the database was added in version 6.2.4.
All Exasol 7.1 drivers use TLS as the default cryptographic protocol for all connections. By default, each Exasol database uses a self-signed certificate for TLS encryption. If your database uses the default certificate or another self-signed certificate, you may need to update your connection strings to connect to the database. For more details, see Exasol 7.1 Connection Security Changes.
To use the same TLS certificate that you uploaded to EXAoperation for communication between database clients and the database, do the following:
- For versions
Restarting the database requires a short downtime.
