When the client makes a connection request, the server presents its certificate for the client to accept or deny. The client checks the issuer of the certificate against a list of trusted Certificate Authorities (CAs) whose root certificates reside in one or both of the following stores on the client:
  • On Windows operating systems: A permanent storage known as Windows certificate store. To learn how to import the required root certificates into the Windows certificate store, see "Importing root certificates into the Windows certificate store."
  • On both Windows and non-Windows operating systems: An encrypted file known as truststore file. Most truststore files are password-protected. The driver must be able to locate the truststore file and unlock it with the appropriate password. Two connection options are available to the driver to provide this information: Trust Store (Truststore) and Trust Store Password (TruststorePassword).

If the server certificate matches a root certificate in either of the stores, an encrypted connection is established between the client and the server. If the certificate does not match, the connection fails and the client generates an error.

Alternatively, you can configure the driver to trust any certificate sent by the server, even if the issuer is not a trusted CA. Allowing a driver to trust any certificate sent from the server is useful in test environments because it eliminates the need to specify truststore information on each client in the test environment. Setting the Validate Server Certificate (ValidateServerCertificate) connection option to false allows the driver to accept any certificate returned from the server regardless of whether the issuer of the certificate is a trusted CA.

To configure the driver to use data encryption via TLS/SSL server authentication:
  • Set the Host Name (HostName) option to specify the name or the IP address of the server to which you want to connect.
  • Set the Port Number (PortNumber) option to specify the port number of the server listener. The default is 5432.
  • Set the Database Name (Database) option to specify the name of the database to which you want to connect.
  • Set the Encryption Method (EncryptionMethod) option to 1.
  • Set the Validate Server Certificate (ValidateServerCertificate) option to determine whether the driver validates the certificates sent by the server. When it is set to 1, the driver validates the certificates. When it is set to 0, the driver does not validate the certificates.
  • Set the Host Name In Certificate (HostNameInCertificate) option to specify the host name that is specified in the Subject of the certificate. This option provides additional security against man-in-the-middle (MITM) attacks by ensuring that the server the driver is connecting to is the server that was requested. Consult your SSL administrator for the correct value.
  • Set the Trust Store (Truststore) option to specify either the absolute path of the truststore file or the contents of the TLS/SSL certificates.
    Note: To allow the client to use TLS/SSL server authentication without storing the truststore file on the disk, you can specify the contents of the root certificates using the Trust Store connection option. Alternatively, you can use the pre-connection attribute, SQL_COPT_INMEMORY_TRUSTSTORECERT, to specify the certificate content. For more information, see "Trust Store" and "Using SQL_COPT_INMEMORY_TRUSTSTORECERT".
  • Set the Truststore Password (TruststorePassword) option to specify the password that is used to access the truststore file.
  • Optionally, set the Enable FIPS (EnableFIPS) connection option to 1 to allow the driver to load the FIPS provider. The FIPS provider contains a set of approved cryptographic algorithms that conform to the Federal Information Processing Standards (FIPS) specified in FIPS 140-2. If you do not specify a value for Enable FIPS, the driver uses its default value (0) and loads the default provider.
    Note:
    • The FIPS provider is supported only on the following platforms: Windows 64-bit, Linux 64-bit, and AIX 64-bit.
    • Do not set the Truststore Password connection option when using the FIPS provider. The truststore password uses the PKCS12KDF algorithm, which is not an approved FIPS algorithm. Hence, it must not be specified when using the FIPS provider.
    • For using the FIPS and default providers, the certificates must be generated using the OpenSSL 3.5-compliant cryptographic algorithms. See "Generating TLS/SSL certificates using OpenSSL 3.5-compliant algorithms" for more information.

The following examples show how to configure the driver to establish a connection using user ID/password authentication and encrypt data using TLS/SSL server authentication. In these examples, since ValidateServerCertificate=1 and EnableFIPS=1, the driver validates the certificate sent by the server and the host name specified by the HostNameInCertificate option, and loads the FIPS provider for data encryption.

Connection string

Truststore:

DRIVER=DataDirect 8.0 Greenplum Wire Protocol;HostName=YourServer;PortNumber=5432;
Database=MyDB;EncryptionMethod=1;ValidateServerCertificate=1;
HostNameInCertificate=MySubjectAltName;Truststore=TrustStoreName;EnableFIPS=1
Note: On Windows, the driver validates the server certificate against the root certificates available in both truststore and Windows certificate store. If a matching certificate is found in either of the stores, the connection is established.

Windows certificate store:

DRIVER=DataDirect 8.0 Greenplum Wire Protocol;HostName=YourServer;PortNumber=5432;
Database=MyDB;EncryptionMethod=1;ValidateServerCertificate=1;
HostNameInCertificate=MySubjectAltName;EnableFIPS=1
Note: The LogonID and Password options are not required to be stored in the connection string. They can also be sent separately by the application using the SQLConnect ODBC API. For SQLDriverConnect and SQLBrowseConnect, they will need to be specified in the connection string.

odbc.ini

Truststore:

Driver=ODBCHOME/lib/ivgplmxx.so
Description=DataDirect Greenplum Wire Protocol
...
Database=MyDB
...
EnableFIPS=1
...
EncryptionMethod=1
...
HostName=YourServer
...
HostNameInCertificate=MySubjectAltName
...
PortNumber=5432
...
Truststore=TrustStoreName 
...
ValidateServerCertificate=1
...
Note: On Windows, the driver validates the server certificate against the root certificates available in both truststore and Windows certificate store. If a matching certificate is found in either of the stores, the connection is established.

Windows certificate store:

Driver=ODBCHOME/lib/ivgplmxx.so
Description=DataDirect Greenplum Wire Protocol driver
...
Database=MyDB
...
EnableFIPS=1
...
EncryptionMethod=1
...
HostName=YourServer
...
HostNameInCertificate=MySubjectAltName
...
PortNumber=5432
...
ValidateServerCertificate=1
...
Note: The LogonID and Password options are not required to be stored in the data source. They can also be sent separately by the application using the SQLConnect ODBC API. For SQLDriverConnect and SQLBrowseConnect, they will need to be specified in the data source or connection string.