Enabling SSL in Denodo Platform Servers

Follow these steps to secure with SSL the incoming connections with the servers of a Denodo Platform installation.

By doing this, the communications between the Denodo servers and its administration tools, and between the Denodo servers and its clients (JDBC and ODBC applications) will be encrypted.

  1. Open the configuration files of the servers whose connections have to be secured:

    • Aracne server: <DENODO_HOME>/conf/arn/ConfigurationParameters.properties
    • Aracne Index server: <DENODO_HOME>/conf/arn-index/ConfigurationParameters.properties
    • ITPilot Browser Pool: <DENODO_HOME>/conf/iebrowser/IEBrowserConfiguration.properties
    • ITPilot Verification server: <DENODO_HOME>/conf/maintenance/ConfigurationParameters.properties
    • Scheduler server: <DENODO_HOME>/conf/scheduler/ConfigurationParameters.properties
    • Virtual DataPort server: <DENODO_HOME>/conf/vdp/VDBConfiguration.properties
    • Embedded web container (Apache Tomcat): <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties
  2. In all the files opened in the previous step, uncomment the following properties and change their values:

    • com.denodo.security.ssl.enabled = true

    • com.denodo.security.ssl.keyStore = Path to the KeyStore that contains the certificate of the Denodo Platform servers.

      E.g. C:/denodo/denodo_server_key_store.jks

      Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

    • com.denodo.security.ssl.keyStorePassword = Password of the KeyStore containing the certificate of the Denodo Platform servers.

      If the certificate is not signed by a trusted authority (i.e. one that is not registered in the JRE’s TrustStore), you have to store the certificate of the authority that signed the certificate. If, instead of importing it into the <DENODO_HOME>/jre/lib/security/cacerts TrustStore, you have created a new TrustStore, uncomment the property com.denodo.security.ssl.trustStore and set it to the path of the new TrustStore.

      All the Denodo servers might need the TrustStore because some of them act both as clients and as servers. E.g., Virtual DataPort server receives connections from its Administration Tool, but also establishes connections with the Aracne server.

    • Although you can configure the Denodo servers to use a TrustStore that is not the default one (the default TrustStore is at <DENODO_HOME>/jre/lib/security/cacerts), we do not recommend it. The reason is that it makes the management of the Denodo servers harder because you have to maintain a new TrustStore file.

      To use a different TrustStore, uncomment these properties:

      • com.denodo.security.ssl.trustStore = Path to the TrustStore.

        For example, com.denodo.security.ssl.trustStore=<DENODO_HOME>/jre/lib/security/cacerts

        Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

      • com.denodo.security.ssl.trustStorePassword = Password of the TrustStore. The default password of the TrustStore (<DENODO_HOME>/jre/lib/security/cacerts) is changeit.

  3. To apply these changes, stop all the Denodo Platform servers and once they are all stopped, start them again.

    It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Information Self-Service started the web container will not shut down and the changes in the file tomcat.properties will not take effect.

Note

The changes on the file tomcat.properties enable SSL in the communication between the web container and the Virtual DataPort server. To enable HTTPs on the web container, read the following section.