A newer version of this documentation is available. Click here to view the most up-to-date release of the Greenplum 4.x documentation.


The gpfdists protocol is a secure version of gpfdist. gpfdists enables encrypted communication and secure identification of the file server and the Greenplum Database to protect against attacks such as eavesdropping and man-in-the-middle attacks.

gpfdists implements SSL security in a client/server scheme as follows.

  • Client certificates are required.
  • Multilingual certificates are not supported.
  • A Certificate Revocation List (CRL) is not supported.
  • The TLSv1 protocol is used with the TLS_RSA_WITH_AES_128_CBC_SHA encryption algorithm.
  • SSL parameters cannot be changed.
  • SSL renegotiation is supported.
  • The SSL ignore host mismatch parameter is set to false.
  • Private keys containing a passphrase are not supported for the gpfdist file server (server.key) and for the Greenplum Database (client.key).
  • Issuing certificates that are appropriate for the operating system in use is the user's responsibility. Generally, converting certificates as shown in is supported.
Note: A server started with the gpfdist --ssl option can only communicate with the gpfdists protocol. A server that was started with gpfdist without the --ssl option can only communicate with the gpfdist protocol.

Use one of the following methods to invoke the gpfdists protocol.

  • Run gpfdist with the --ssl option and then use the gpfdists protocol in the LOCATION clause of a CREATE EXTERNAL TABLE statement.
  • Use a YAML Control File with the SSL option set to true and run gpload. Running gpload starts the gpfdist server with the --ssl option, then uses the gpfdists protocol.
Important: Do not protect the private key with a passphrase. The server does not prompt for a passphrase for the private key, and loading data fails with an error if one is required.

gpfdists requires that the following client certificates reside in the $PGDATA/gpfdists directory on each segment.

  • The client certificate file, client.crt
  • The client private key file, client.key
  • The trusted certificate authorities, root.crt

For an example of loading data into an external table securely, see Example 3—Multiple gpfdists instances.