To use it, you run the utility with the --ssl option. When specified in a URI, the gpfdists:// protocol enables encrypted communication and secure identification of the file server and the Greenplum Database to protect against attacks such as eavesdropping and man-in-the-middle attacks.

    gpfdists implements SSL security in a client/server scheme with the following attributes and limitations:

    • Multilingual certificates are not supported.
    • A Certificate Revocation List (CRL) is not supported.
    • The TLSv1 protocol is used with the TLS_RSA_WITH_AES_128_CBC_SHA encryption algorithm.
    • SSL parameters cannot be changed.
    • SSL renegotiation is supported.
    • Private keys containing a passphrase are not supported for the gpfdist file server (server.key) and for the Greenplum Database (client.key).

    • Issuing certificates that are appropriate for the operating system in use is the user’s responsibility. Generally, converting certificates as shown in https://www.sslshopper.com/ssl-converter.html is supported.

    • The client certificate file, client.crt

    • The client private key file, client.key

    Use one of the following methods to invoke the gpfdists protocol.

    • Run gpfdist with the --ssl option and then use the gpfdists protocol in the LOCATION clause of a CREATE EXTERNAL TABLE statement.
    • The client certificate file, client.crt
    • The client private key file, client.key
    • The trusted certificate authorities, root.crt

    For an example of loading data into an external table security, see .

    The server configuration parameter verify_gpfdists_cert controls whether SSL certificate authentication is enabled when Greenplum Database communicates with the gpfdist utility to either read data from or write data to an external data source. You can set the parameter value to false to deactivate authentication when testing the communication between the Greenplum Database external table and the gpfdist utility that is serving the external data. If the value is false, these SSL exceptions are ignored:

    • The self-signed SSL certificate that is used by gpfdist is not trusted by Greenplum Database.
    • The host name contained in the SSL certificate does not match the host name that is running .

    Warning: Deactivating SSL certificate authentication exposes a security risk by not validating the gpfdists SSL certificate.