LabKey Server can support secure ODBC connections using TLS. Secure ODBC connections piggyback on Tomcat for TLS configurations (both certificates and keys).
TLS connections is recommended for production deployments. Currently, TLS connections are supported only for on premise deployments. TLS connections are not currently supported for cloud-based deployments.
See below for details on setting up a secure configuration.
Configure Tomcat for TLS Connections
For details see Configure the LabKey Web Application
.Cipher delimiter characters
: While Tomcat does not care which delimiter is used in the server's xml config file, to make it work with ODBC connections, a colon delimiter must be used in separating cipher suites. For example:
Configure PostgreSQL Client for Secure Connections
PostgreSQL supports the following TLS connection modes:
For details on these modes see the PostgreSQL documentation at Protection Provided in Different Modes
Currently, when secure connections are enforced through LabKey Server, connections through disable
modes are not successful.
When LabKey's Enforce TLS
switch is turned off (see below), connections through all the modes are successful provided the Tomcat is setup for secure connections.
For modes verify-ca
, clients (that is, users that want to connect to a LabKey Server data source) will need to place the certificate for the server in the location specified in the PostrgreSQL docs at Client Verification of Server Certificates
When setting up the DSN wrapper
for the ODBC connection, clients should select one of these modes:
Self-signed certificates can be supported by using the following modes:
If the client has been configured to trust the certificate (by adding it to the CA list) verify-ca
will also work.
Require TLS on LabKey Server
To set up TLS on LabKey Server, see Creating & Installing SSL/TLS Certificates on Tomcat
To turn on the TLS enforcement for ODBC connections:
- Open the Admin Console at > Site > Admin Console.
- Click Admin Console Links. In the section Premium Features, click External Analytics Connections.
- On the page Enable External Analytics Connections, place a checkmark next to Require TLS.
- Click Save.