Configuring SSL Verification on a Non-Windows machine
If you are connecting to a Netezza server that has Secure Sockets Layer (SSL) enabled, you can configure the connector to connect to an SSL-enabled socket.
The Simba Netezza ODBC Driver only supports SSL version 3. Other versions are not supported.
You can set the connection properties described below in a connection string, in a DSN (in the odbc.ini
file), or as a connector-wide setting (in the simba.netezzaodbc.ini
file). Settings in the connection string take precedence over
settings in the DSN, and settings in the DSN take precedence over connector-wide settings.
To configure SSL verification
- Configure SSL authentication on your Netezza database. For more information, see "Configuring the SSL Certificate" in the IBM Knowledge Center: http://www.ibm.com/support/knowledgecenter/SSULQD_7.2.1/com.ibm.nz.adm.doc/t_sysadm_config_ssl_certs.html.
- In your
odbc.ini
configuration file or connection string, set theSecurityLevel
property to the level of SSL verification:- To connect over an unsecured connection, specify
onlyUnsecured
. The connector does not connect to the data store if an unsecured connection is not available. - To connect over an unsecured connection if one is available, specify
preferredUnsecured
. The connector connects to the data store using an unsecured connection if available; if not, the connector uses a secure connection. - To connect over a secure connection if one is available, specify
preferredSecured
. The connector connects to the data store using a secure connection if available; if not, the connector uses an unsecured connection. - To connect over a secure connection, specify
onlySecured
. The connector does not connect to the data store if a secure connection is not available.
For example, to connect only over a secure connection:
SecurityLevel=onlySecured
- To connect over an unsecured connection, specify
- To connect using a specific version of SSL/TLS, set the
SSLVersion
property toSSLv3
orTLSv1.2
. - Set the
CaCertFile
property to the location of the CA.pem
certificate file.Important: The CA certificate must be stored on the server in the
/nz/
directory.For example:
CaCertFile=/nz/CertFile.pem
- To allow self-signed certificates from the server, set the
AllowSelfSignedCert
attribute to1
. - To allow the common name of a CA-issued SSL certificate to not match the host name of the Netezza server, set the
AllowHostMismatch
attribute to1
. - To allow expired certificates from the server, set the
AllowExpiredCert
attribute to1
.