Configuring SSL Verification

If you are connecting to a Presto server that has Secure Sockets Layer (SSL) enabled, you can configure the connector to connect to an SSL-enabled socket. When using SSL to connect to a server, the connector can be configured to verify the identity of the server.

Note:

If Kerberos or LDAP authentication is enabled, then SSL is automatically enabled.

To configure SSL verification:

  1. To access SSL options, open the ODBC Data Source Administrator where you created the DSN, then select the DSN, then click Configure, and then click SSL Options.
  2. Select the Enable SSL check box.
  3. To allow authentication using self-signed certificates that have not been added to the list of trusted certificates, select the Allow Self-signed Server Certificate check box.
  4. To allow the common name of a CA-issued SSL certificate to not match the host name of the Presto server, select the Allow Common Name Host Name Mismatch check box.
  5. To specify the CA certificates that you want to use to verify the server, do one of the following:
    • To verify the server using the trusted CA certificates from a specific .pem file, specify the full path to the file in the Trusted Certificates field and clear the Use System Trust Store check box.
    • Or, to use the trusted CA certificates .pem file that is installed with the connector, leave the default value in the Trusted Certificates field, and clear the Use System Trust Store check box.
    • Or, to use the Windows trust store, select the Use System Trust Store check box.
      Important:
      • If you are using the Windows trust store, make sure to import the trusted CA certificates into the trust store.
      • If the trusted CA supports certificate revocation, select the Check Certificate Revocation check box.
  6. From the Minimum TLS Version drop-down list, select the minimum version of TLS to use when connecting to your data store.
  7. To configure two-way SSL verification, select the Two-Way SSL check box and then do the following:
    1. In the Client Certificate File field, specify the full path of the PEM file containing the client's certificate.
    2. In the Client Private Key File field, specify the full path of the file containing the client's private key.
    3. If the private key file is protected with a password, type the password in the Client Private Key Password field.

      Important: The password is obscured, that is, not saved in plain text. However, it is still possible for the encrypted password to be copied and used.

    4. To encrypt your credentials, click Password Options and then select one of the following:
      • If the credentials are used only by the current Windows user, select Current User Only.
      • Or, if the credentials are used by all users on the current Windows machine, select All Users Of This Machine.
  8. To save your settings and close the SSL Options dialog box, click OK.