Configuring SSL Verification

If you are connecting to a Netezza server that has Secure Sockets Layer (SSL) enabled, you can configure the connector to connect to an SSL-enabled socket.

Important:

Important:

The Simba Netezza ODBC Driver only supports SSL version 3. Other versions are not supported.

You can set the connection properties described below in a connection string, in a DSN (in the odbc.ini file), or as a connector-wide setting (in the simba.netezzaodbc.ini file). Settings in the connection string take precedence over settings in the DSN, and settings in the DSN take precedence over connector-wide settings.

To configure SSL verification:

  1. Configure SSL authentication on your Netezza database. For more information, see "Configuring the SSL Certificate" in the IBM Knowledge Center: http://www.ibm.com/support/knowledgecenter/SSULQD_7.2.1/com.ibm.nz.adm.doc/t_sysadm_config_ssl_certs.html.
  2. In your odbc.ini configuration file or connection string, set the SecurityLevel property to the level of SSL verification:
    • To connect over an unsecured connection, specify onlyUnsecured. The connector does not connect to the data store if an unsecured connection is not available.
    • To connect over an unsecured connection if one is available, specify preferredUnsecured. The connector connects to the data store using an unsecured connection if available; if not, the connector uses a secure connection.
    • To connect over a secure connection if one is available, specify preferredSecured. The connector connects to the data store using a secure connection if available; if not, the connector uses an unsecured connection.
    • To connect over a secure connection, specify onlySecured. The connector does not connect to the data store if a secure connection is not available.

    For example, to connect only over a secure connection:

    SecurityLevel=onlySecured

  3. To connect using a specific version of SSL/TLS, set the SSLVersion property to SSLv3 or TLSv1.2.
  4. Set the CaCertFile property to the location of the CA .pem certificate file.
    5. Important:

    Important:

    The CA certificate must be stored on the server in the /nz/ directory.

    For example:

    CaCertFile=/nz/CertFile.pem

  5. To allow self-signed certificates from the server, set the AllowSelfSignedCert attribute to 1.
  6. To allow the common name of a CA-issued SSL certificate to not match the host name of the Netezza server, set the AllowHostMismatch attribute to 1.
  7. To allow expired certificates from the server, set the AllowExpiredCert attribute to 1.

Related topics