LabKey Server can support secure ODBC connections using TLS. Secure ODBC connections piggyback on Tomcat for TLS configurations (both certificates and keys).
TLS connections is recommended for production deployments. Currently, TLS connections are supported only for on premise deployments. TLS connections are not currently supported for cloud-based deployments.
See below for details on setting up a secure configuration.
Configure Tomcat for TLS Connections
For details see
Configure the LabKey Web Application.
Cipher delimiter characters: While Tomcat does not care which delimiter is used in the server's xml config file, to make it work with ODBC connections, a colon delimiter must be used in separating cipher suites. For example:
<SSLHostConfig
sslProtocol="TLSv1.2" protocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"
>
Configure PostgreSQL Client for Secure Connections
PostgreSQL supports the following TLS connection modes:
- disable
- allow
- prefer
- require
- verify-ca
- verify-full
For details on these modes see the PostgreSQL documentation at
Protection Provided in Different Modes .
Currently, when secure connections are enforced through LabKey Server, connections through
disable and
allow modes are not successful.
When LabKey's
Enforce TLS switch is turned off (see below), connections through all the modes are successful provided the Tomcat is setup for secure connections.
For modes
verify-ca and
verify-full, clients (that is, users that want to connect to a LabKey Server data source) will need to place the certificate for the server in the location specified in the PostrgreSQL docs at
Client Verification of Server Certificates
Configure DSN
When setting up the
DSN wrapper for the ODBC connection, clients should select one of these modes:
- prefer
- require
- verify-ca
- verify-full
Self-signed certificates can be supported by using the following modes:
If the client has been configured to trust the certificate (by adding it to the CA list)
verify-ca will also work.
Require TLS on LabKey Server
To set up TLS on LabKey Server, see
Creating & Installing SSL/TLS Certificates on Tomcat.
To turn on the TLS enforcement for ODBC connections:
- Open the Admin Console at > Site > Admin Console.
- Click Settings.
- Under Premium Features, click External Analytics Connections.
- On the page Enable External Analytics Connections, place a checkmark next to Require TLS.
- Click Save.
Related Topics