Enable SSL Connections in the Denodo Platform Servers

This section explains how to secure with SSL the connections between the Denodo Platform servers, their administration tools and their clients. If you do not need this, jump to the section Postinstallation Tasks in Virtual DataPort. To know how to establish SSL connections with data sources, go to section Importing the Certificates of Data Sources (SSL Connections).

Note that if you enable SSL in the Denodo Platform servers, you also have to do it in their clients.

SSL requires configuring certificate repositories. There are two types of certificate repositories:

  • KeyStore
  • TrustStore


An application that listens to incoming SSL connections needs a public key and a private key in order to allow clients to access the server. In Java, these keys are stored in a repository called KeyStore.


During the initialization of an SSL connection, the server sends its SSL certificate to the client. The client must then decide if it trusts this or not. To do this, the client checks if the certificate has been signed by a trusted certification authority (CA). The TrustStore is a repository of the certificates of trusted certification authorities.

Every Java installation comes with a TrustStore that the JRE uses by default (<DENODO_HOME>/jre/lib/security/cacerts file). If the server’s certificate is not signed by a trusted authority (i.e. one that is not registered in the Java’s TrustStore), you have to store the certificate of the authority, which can be stored in:

  1. The cacerts file of the JRE used to launch the Denodo Platform servers and their tools (<DENODO_HOME>/jre/lib/security/cacerts file). This is the recommended option because adding the certificate of the authority to this file will make the configuration of the Denodo Platform servers easier.
  2. Or, in a new TrustStore.

Oracle’s Java Development Kit (JDK) ships with a utility called keytool that manages the Certificate Repositories.

These are the steps to enable SSL: