gpfdists:// protocol is a secure version of the
gpfdist:// protocol. To use it, you run the
gpfdist utility with the
--ssl option. When specified in a URI, the
gpfdists:// protocol enables encrypted communication and secure identification of the file server and the HAWQ to protect against attacks such as eavesdropping and man-in-the-middle attacks.
gpfdists implements SSL security in a client/server scheme with the following attributes and limitations:
- Client certificates are required.
- Multilingual certificates are not supported.
- A Certificate Revocation List (CRL) is not supported.
TLSv1protocol is used with the
- SSL parameters cannot be changed.
- SSL renegotiation is supported.
- The SSL ignore host mismatch parameter is set to
- Private keys containing a passphrase are not supported for the
gpfdistfile server (server.key) and for the HAWQ (client.key).
Issuing certificates that are appropriate for the operating system in use is the user’s responsibility. Generally, converting certificates as shown in https://www.sslshopper.com/ssl-converter.html is supported.
Note: A server started with the
gpfdist --ssloption can only communicate with the
gpfdistsprotocol. A server that was started with
--ssloption can only communicate with the
The client certificate file, client.crt
The client private key file, client.key
Use one of the following methods to invoke the
--ssloption and then use the
gpfdistsprotocol in the
LOCATIONclause of a
CREATE EXTERNAL TABLEstatement.
- Use a
hawq loadYAML control file with the
SSLoption set to true.
gpfdists requires that the following client certificates reside in the
$PGDATA/gpfdists directory on each segment.
- The client certificate file,
- The client private key file,
- The trusted certificate authorities,
For an example of loading data into an external table security, see Example 3 - Multiple gpfdists instances.