Configuring SSL Verification

If you are connecting to an Impala server that has Secure Sockets Layer (SSL) enabled, you can configure the connector to connect to an SSL-enabled socket. When using SSL to connect to a server, the connector can be configured to verify the identity of the server.

The following instructions describe how to configure SSL in a DSN. You can specify the connection settings described below in a DSN, in a connection string, or as connector-wide settings. Settings in the connection string take precedence over settings in the DSN, and settings in the DSN take precedence over connector-wide settings.

Important:

If Check Certificate Revocation is enabled, make sure that the connector has access to the CRL/OCSP server. When using a proxy between the connector and the CRL/OCSP server, make sure that the proxy is properly configured.

If the proxy uses LDAP authentication, save the proxy credential to the Windows system. This is because the connector does not display a credential dialog when checking the revocation. Therefore, if the credential is not saved, the connector does not check revocation and returns an SSL error.

To configure SSL verification:

  1. To access SSL options, open the ODBC Data Source Administrator where you created the DSN, then select the DSN, then click Configure, and then click SSL Options.
  2. Select the Enable SSL check box.
  3. To allow authentication using self-signed certificates that have not been added to the list of trusted certificates, select the Allow Self-signed Server Certificate check box.
  4. To allow the common name of a CA-issued SSL certificate to not match the host name of the Impala server, select the Allow Common Name Host Name Mismatch check box.
  5. To specify the CA certificates that you want to use to verify the server, do one of the following:
    • To verify the server using the trusted CA certificates from a specific .pem file, specify the full path to the file in the Trusted Certificates field and clear the Use System Trust Store check box.
    • Or, to use the trusted CA certificates .pem file that is installed with the connector, leave the Trusted Certificates field empty, and clear the Use System Trust Store check box.
    • Or, to use the Windows trust store, select the Use System Trust Store check box.
      Important:
      • If you are using the Windows trust store, make sure to import the trusted CA certificates into the trust store.
      • If the trusted CA supports certificate revocation, select the Check Certificate Revocation check box.
  6. From the Minimum TLS Version drop-down list, select the minimum version of TLS to use when connecting to your data store.
  7. To save your settings and close the SSL Options dialog box, click OK.

Related topics