LabKey Server can support secure ODBC connections using TLS. Secure ODBC connections piggyback on Tomcat for TLS configurations (both certificates and keys).

TLS connections is recommended for production deployments. Currently, TLS connections are supported only for on premise deployments. TLS connections are not currently supported for cloud-based deployments.

See below for details on setting up a secure configuration.

Configure Tomcat for TLS Connections

For details see Configure the LabKey Web Application.

Cipher delimiter characters: While Tomcat does not care which delimiter is used in the server's xml config file, to make it work with ODBC connections, a colon delimiter must be used in separating cipher suites. For example:

<SSLHostConfig
sslProtocol="TLSv1.2" protocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"

>

Configure PostgreSQL Client for Secure Connections

PostgreSQL supports the following TLS connection modes:

  • disable
  • allow
  • prefer
  • require
  • verify-ca
  • verify-full
For details on these modes see the PostgreSQL documentation at Protection Provided in Different Modes .

Currently, when secure connections are enforced through LabKey Server, connections through disable and allow modes are not successful.

When LabKey's Enforce TLS switch is turned off (see below), connections through all the modes are successful provided the Tomcat is setup for secure connections.

For modes verify-ca and verify-full, clients (that is, users that want to connect to a LabKey Server data source) will need to place the certificate for the server in the location specified in the PostrgreSQL docs at Client Verification of Server Certificates

Configure DSN

When setting up the DSN wrapper for the ODBC connection, clients should select one of these modes:

  • prefer
  • require
  • verify-ca
  • verify-full
Self-signed certificates can be supported by using the following modes:
  • prefer
  • require
If the client has been configured to trust the certificate (by adding it to the CA list) verify-ca will also work.

Require TLS on LabKey Server

To set up TLS on LabKey Server, see Creating & Installing SSL/TLS Certificates on Tomcat.

To turn on the TLS enforcement for ODBC connections:

  • Open the Admin Console at > Site > Admin Console.
  • Click Admin Console Links. In the section Premium Features, click External Analytics Connections.
  • On the page Enable External Analytics Connections, place a checkmark next to Require TLS.
  • Click Save.

Related Topics

Discussion

Was this content helpful?

Log in or register an account to provide feedback


previousnext
 
expand all collapse all