You can specify the following version 2 configuration properties to identify the certificates and keys required to access an SSL-secured schema registry service:

• SCHEMA_CA_ON_GPDB - The file system path to the CA certificate that GPSS uses to verify the peer.
• SCHEMA_CERT_ON_GPDB - The file system path to the client certificate that GPSS uses to connect to the HTTPS schema registry.
• SCHEMA_KEY_ON_GPDB - The file system path to the private key file that GPSS uses to connect to the HTTPS schema registry.
• SCHEMA_MIN_TLS_VERSION - The minimum transport layer security (TLS) version that GPSS requests on the connection to the registry. The default minimum TLS version is 1.0; you can specify 1.0, 1.1, 1.2, or 1.3.

The schema registry's ssl.client.auth property controls client authentication requirements for the service:

• When ssl.client.auth=false for the registry, you need only specify the SCHEMA_CA_ON_GPDB.
• When ssl.client.auth=true for the registry, you must also specify SCHEMA_CERT_ON_GPDB and SCHEMA_KEY_ON_GPDB in addition to the SCHEMA_CA_ON_GPDB.

All certificate and key files must reside in the specified location on all Greenplum Database segment hosts.

Be sure to also specify the SCHEMA_MIN_TLS_VERSION if the default value of 1.0 is not sufficient for your requirements.

Take the following into consideration when you use GPSS to access a SSL-secured Kafka schema registry:

• Even though you can specify multiple registry addresses in SCHEMA_REGISTRY_ADDRESS, GPSS supports specifying only a single set of SSL certificate and key properties. GPSS uses the specified (same) CA, certificate, and key regardless of the registry accessed.
• The file system paths that you specify for the CA, certificate, and key are limited to 64 characters each.