Configuring SSL Verification

If you are connecting to a Presto server that has Secure Sockets Layer (SSL) enabled, you can configure the connector to connect to an SSL-enabled socket. When using SSL to connect to a server, the connector can be configured to verify the identity of the server.

Note: If either Kerberos or LDAP authentication are enabled, the connector automatically uses SSL to communicate with the Presto server.

You can set the connection properties described below in a connection string or in a DSN (in the odbc.ini file). Settings in the connection string take precedence over settings in the DSN.

To configure SSL verification:

  1. To enable SSL connections, set the SSL attribute to 1.
  2. To allow authentication using self-signed certificates that have not been added to the list of trusted certificates, set the AllowSelfSignedServerCert attribute to 1.
  3. To allow the common name of a CA-issued SSL certificate to not match the host name of the Presto server, set the AllowHostNameCNMismatch attribute to 1.
  4. Choose one:
    • To configure the connector to load SSL certificates from a specific .pem file when verifying the server, set the TrustedCerts attribute to the full path of the .pem file.
    • Or, to use the trusted CA certificates .pem file that is installed with the connector, do not specify a value for the TrustedCerts attribute.
  5. To configure two-way SSL verification, set the TwoWaySSL attribute to 1 and then do the following:
    1. Set the ClientCert attribute to the full path of the .pem file containing the client's certificate.
    2. Set the ClientPrivateKey attribute to the full path of the file containing the client's private key.
    3. If the private key file is protected with a password, set the ClientPrivateKeyPassword attribute to the password.

  6. To allow authentication, when the certificate's revocation status is undetermined, set the Accept Undetermined Revocation attribute to 1.

  7. To specify the minimum version of TLS to use, set the Min_TLS property to the minimum version of TLS. Supported options include 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, and 1.3 for TLS 1.3.