Encryption

Similar to other Exasol connectors, PyExasol is capable of using TLS cryptographic protocol.

Exasol published a few articles describing the details:

• Database connection encryption at Exasol

• CHANGELOG: TLS for all Exasol drivers

• CHANGELOG: Database accepts only TLS connections

• Generating TLS files yourself to avoid providing a fingerprint

• TLS connection fails

Default

Encryption with certification validation is ENABLED by default starting from PyExasol version 1.0.0.

Encryption is ENABLED by default starting from PyExasol version 0.24.0.

Encryption was DISABLED by default in previous versions.

Certification verification

The different authentication methods are listed on SQL Reference: CREATE USER - For OpenID, SSL certificate may depend on the database you connect to. See CHANGELOG: Exasol OpenID Connect support

• Exasol running “on-premises” uses self-signed SSL certificate by default. You may generate a proper SSL certificate and upload it using instruction.

• Exasol SAAS running in the cloud uses proper certificate generated by public certificate authority. It does not require any extra setup. For authentication methods, see Database access management.

• Exasol Docker uses self-signed SSL certificate by default. You may generate a proper SSL certificate and submit it for use via the ConfD API. More details are available on:

  • GitHub for Exasol Docker

  • ConfD API

  • confd_client cert_update

To disable strict certification verification, if needed, in development or testing environments, set websocket_sslopt to {"cert_reqs": ssl.CERT_NONE}. This is not recommended for production environments, due to the associated increased security risks.

Similar to JDBC / ODBC drivers, PyExasol supports fingerprint certificate verification. Please check the examples below.

Specific examples

1. How to connect with TLS encryption:

   pyexasol.connect(dsn='myexasol:8563'
                    , user='user'
                    , password='password')
   

2. How to connect with TLS encryption and fingerprint verification:

   pyexasol.connect(dsn='myexasol/135a1d2dce102de866f58267521f4232153545a075dc85f8f7596f57e588a181:8563'
                    , user='user'
                    , password='password'
                    )
   

3. How to connect with TLS encryption and full certificate verification “on-premises” using internal root CA (certificate authority):

   pyexasol.connect(dsn='myexasol:8563'
                    , user='user'
                    , password='password'
                    , websocket_sslopt={
                       "cert_reqs": ssl.CERT_REQUIRED,
                       "ca_certs": '/path/to/rootCA.crt',
                    })
   

4. How to connect to Exasol SAAS (TLS encryption is REQUIRED for SAAS):

   pyexasol.connect(dsn='abc.cloud.exasol.com:8563'
                    , user='user'
                    , refresh_token='token'
                    , encryption=True
                    )
   

   pyexasol.connect(dsn='myexasol:8563'
                    , user='user'
                    , password='personal_access_token'
                    , encryption=True
                    )