verify TLS certificate?

drumcircle
Rising Star

Is there a straight-forward way for end-users to verify an exasol server certificate over 8563?

Using a web-browser, we can validate ExaSolution on 443 easily.

Is a certificate uploaded to Exasolution also propagated to the nodes for ODBC/JDBC connections?

1 ACCEPTED SOLUTION

Accepted Solutions

Charlie
Xpert

forgot to mention:

if you just want to verify the certificate without really connecting to the database:

 

 

echo -n | openssl s_client -connect <ip addr of one exasol node>:8563

 

 

The end of the command output should look like this

 

    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1633614216
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

 

This only works if the CA of the certificate you use is in the certificate store that openssl uses.

View solution in original post

4 REPLIES 4

drumcircle
Rising Star

FYI, I'm using DigiCert star (domain-level) certificate.

Charlie
Xpert

If you enable TLS for the database the very same certificate you use for EXAOperation will be used for the database and if the database driver is 7.1 the certificate will be automatically checked.

 

Be sure that the certificate contains all IP adresses/hostnames of your exasol cluster.

 

If the certificate is not valid (or the CA of the certificate is not in the clients certificate store) you won't be able to connect to the database (TLS connection fails )

 

Charlie
Xpert

forgot to mention:

if you just want to verify the certificate without really connecting to the database:

 

 

echo -n | openssl s_client -connect <ip addr of one exasol node>:8563

 

 

The end of the command output should look like this

 

    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1633614216
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

 

This only works if the CA of the certificate you use is in the certificate store that openssl uses.

View solution in original post

drumcircle
Rising Star

Excellent, thank you!