Enabling HTTPS in the Embedded Apache Tomcat¶

The Denodo Platform embeds the Apache Tomcat web container to host its web applications and web services. The communications between clients and the web applications running in the Apache Tomcat embedded in the Denodo Platform can be secured with HTTPS. The applications running in this web container are:

• Aracne Administration Tool

• ITPilot Administration Tool

• Scheduler Administration Tool

• Web Services published using Virtual DataPort

• Information Self Service Tool

• Diagnostic & Monitoring Tool

To enable HTTPS on the web container, do the following:

1. Stop all the Denodo servers of this installation. The goal is to stop the web container of Denodo. It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Information Self-Service started, the web container will not shut down and the changes in the file tomcat.properties will not take effect even if you restart the other components.

2. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties.

   Uncomment the following properties and set their value:

3. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/server.xml

   1. Uncomment the SSL connector. I.e. Search the “Connector” element that starts with <Connector port=”${com.denodo.tomcat.https.port}” and remove the <-- and --> characters that surround it.

   2. To disable the access through HTTP and only allow HTTPs connections, comment the “Connector” element that starts with <Connector port=”${com.denodo.tomcat.http.port}” with <-- and -->. For example,

<!--
   <Connector port="${com.denodo.tomcat.http.port}"
      maxThreads="150" minSpareThreads="25"
      redirectPort="${com.denodo.tomcat.https.port}"
      connectionTimeout="20000"
      URIEncoding="UTF-8"/>
-->

Check the documentation of Apache Tomcat to know how to change the default SSL/TLS settings of the web container: to limit the ciphers, enable client authentication, etc.

4. When enabling TLS/SSL on the Tomcat, a user that can to connect to the host where the Denodo servers run, with the user account with which you launch the Denodo servers, will be able to see the password of the keystore, in the list of running processes. That is because by default, this password is passed as a parameter to the script that starts the web container.

   To avoid this (i.e. adding this password to the command line of Tomcat), follow these steps:

   1. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties and uncomment the property com.denodo.security.management.jmxremote.ssl.config.file. Only uncomment the property, leave the default value as is (i.e. <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties).

   2. Change the privileges of the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties so it can only be read by the same user account that starts the Denodo servers.

      To do this, execute these commands:

      • On Linux, run the following from the user account that starts the Denodo servers:

      chmod 600 <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties
      

      • On Windows, right-click the icon Command Prompt of the Windows menu and click Run as administrator.

        Run the following commands (replace <denodo_user> with the user account with which the Denodo servers are started):

        cd <DENODO_HOME>\resources\apache-tomcat\conf\
        icacls jmxssl.properties /setowner <denodo_user>
        icacls jmxssl.properties /grant <denodo_user>:F
        icacls jmxssl.properties /inheritance:r
        

      If you do not change these privileges, the web container will not start.

5. Start the Denodo servers you use.

6. To check that https was enabled successfully, open the URL https://denodo-server.acme.com:9443/denodo-restfulws/admin (9443 is the default value of the property com.denodo.tomcat.https.port).

Enabling HTTPS on the Web Container but not in the Virtual DataPort Server

You can enable https on the web container without enabling TLS/SSL in the Virtual DataPort server. If you did not enable SSL/TLS on the Virtual DataPort server, comment the property com.denodo.security.ssl.enabled of the file tomcat.properties.

Additional Information about the TrustStore (cacerts file)

On the file tomcat.properties, we recommend leaving the properties com.denodo.security.ssl.trustStore and com.denodo.security.ssl.trustStorePassword commented. That way, the web container uses the default TrustStore of the installation (i.e. <DENODO_HOME>/jre/lib/security/cacerts).

It is possible to configure the Denodo web container to use a TrustStore that is not the default one. However, we do not recommend doing so because it makes the management of the Denodo servers harder because you have to maintain a new TrustStore file.

To use a different TrustStore, uncomment these properties:

• com.denodo.security.ssl.trustStore = Path to the TrustStore.

  For example, com.denodo.security.ssl.trustStore=c:/denodo/custom_cacerts

  Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

• com.denodo.security.ssl.trustStorePassword = Password of the TrustStore. The default password of a TrustStore is changeit.