Greenplum Database New Features - Database Security, Authentication and Encryption

Greenplum continued to add more security features to make Greenplum database more secure. Here we will discuss few added in Security, Authentication and Encryption

enhancements added in the GPDB 4.3.2.0, 4.3.4.0 and 4.3.5.1.

Note: For information about encrypting communication between Greenplum Database and an LDAP server, see “Configuring Client Authentication” in the Greenplum Database Administrator Guide.

Database Security, Authentication and Encryption (4.3.2.0, 4.3.4.0, 4.3.5.1)

In GPDB 4.3.2.0 Greenplum added Enhanced Support for Encrypted LDAP Authentication

GPDB 4.3.2 support for encrypting communication between Greenplum Database and an LDAP server has been enhanced. Now Greenplum Database 4.3.2 supports LDAP authentication with the TLS/SSL protocol to encrypt communication with an LDAP server:

LDAP authentication with STARTTLS and TLS protocol
STARTTLS starts with an clear text connection (no encryption) and upgrades it to a secure connection (with encryption).
LDAP authentication with a secure connection and TLS/SSL (LDAPS) . Greenplum Database uses the TLS or SSL protocol based on the protocol that is used by the LDAP server.

If no protocol is specified, Greenplum Database communicates with the LDAP server with a clear text connection.

In GPDB 4.3.4.0 Greenplum announced 2 new enhancement related to Encryption and Client Connection.

Adding Enhancement for Encrypting Data with the Greenplum Database pgcrypto extension, now you can use pgcrypto functions to store columns of data in encrypted form. When the Greenplum Database pgcrypto package version 1.2 is installed, you can enable pgcrypto support for Federal Information Processing Standard (FIPS) 140-2. The Greenplum Database server configuration parameter pgcrypto.fips controls the pgcrypto support for FIPS 140-2.

In order to Control of Client Connections to Greenplum Database, the new GPDB 4.3.4 server configuration parameter gp_connection_send_timeout controls the timeout value for sending data to unresponsive Greenplum Database user clients during query processing. When the timeout is reached, the query is cancelled.

gp_connection_send_timeout

Timeout for sending data to unresponsive Greenplum Database user clients during query processing. A value of 0 disables the timeout, Greenplum Database waits indefinitely for a client. When the timeout is reached, the query is cancelled with this message:Could not send data to client: Connection timed out.

VALUE RANGE

number of seconds

DEFAULT

3600 (1 hour)

SET CLASSIFICATIONS

master

system

reload

In GPDB 4.3.5.1 Greenplum announced encrypting communications between segment hosts.

In a Greenplum Database cluster, you can use Internet Protocol Security (IPsec) to authenticate and encrypt communication between Greenplum Database segments on different hosts.

When IPsec is enabled for Greenplum Database, a virtual private network (VPN), or tunnel, is established between every pair of hosts in the cluster and every packet exchanged between them is encrypted and sent through the tunnel. You can configure IPsec for a Greenplum cluster that run on Red Hat or CentOS hosts using Openswan, a popular IPsec implementation for Linux. Openswan provides user tools to enable IPsec on Linux.

Note: Enabling this feature might impact Greenplum Database cluster performance.

For information about configuring IPsec for a Greenplum Database cluster, see the Greenplum Database Administrator Guide.