This topic is under construction for the July 2020 release of LabKey Server. For current documentation of this feature, click here.

Premium Feature — Available in the Professional and Enterprise Editions of LabKey Server. Learn more or contact LabKey.

An ODBC (Open Database Connectivity) Connection enables users to analyze LabKey data with external clients they are already familiar with. LabKey Server can support secure ODBC connections using TLS. Secure ODBC connections piggyback on Tomcat for TLS configurations (both certificates and keys).

TLS connections is recommended for production deployments. Currently, TLS connections are supported only for on premise deployments. TLS connections are not currently supported for cloud-based deployments.

This topic contains details for setting up a secure configuration.

Configure Tomcat for TLS Connections

For details see Installation: Tomcat Configuration.

Cipher delimiter characters: While Tomcat does not care which delimiter is used in the server's xml config file, to make it work with ODBC connections, a colon delimiter must be used in separating cipher suites. For example:

sslProtocol="TLSv1.2" protocols="TLSv1.2"


Configure PostgreSQL Client for Secure Connections

PostgreSQL supports the following TLS connection modes:

  • disable
  • allow
  • prefer
  • require
  • verify-ca
  • verify-full
For details on these modes see the PostgreSQL documentation at Protection Provided in Different Modes .

Currently, when secure connections are enforced through LabKey Server, connections through disable and allow modes are not successful.

When LabKey's Enforce TLS switch is turned off (see below), connections through all the modes are successful provided the Tomcat is setup for secure connections.

For modes verify-ca and verify-full, clients (that is, users that want to connect to a LabKey Server data source) will need to place the certificate for the server in the location specified in the PostrgreSQL docs at Client Verification of Server Certificates

Configure DSN

When setting up the DSN wrapper for the ODBC connection, clients should select one of these modes:

  • prefer
  • require
  • verify-ca
  • verify-full
Self-signed certificates can be supported by using the following modes:
  • prefer
  • require
If the client has been configured to trust the certificate (by adding it to the CA list) verify-ca will also work.

Require TLS on LabKey Server

To set up TLS on LabKey Server, see Creating & Installing SSL/TLS Certificates on Tomcat.

To turn on the TLS enforcement for ODBC connections:

  • Open the Admin Console at (Admin) > Site > Admin Console.
  • Under Premium Features, click External Analytics Connections.
  • On the page Enable External Analytics Connections, place a checkmark next to Require TLS.
  • Click Save.

Related Topics


Was this content helpful?

Log in or register an account to provide feedback

expand all collapse all