The Denodo Embedded MPP is shipped with a Java Keystore, presto/secrets/presto.jks, that contains a self-signed certificate, certs/certificate.crt, which is distributed for testing purposes ONLY.

This self-signed certificate accepts presto-denodo as the hostname of the Denodo Embedded MPP. Therefore, you will have to add an entry in the hosts file where the Denodo server is running, with presto-denodo and the EXTERNAL-IP of the Presto service after executing kubectl get svc.

How to get MPP External IP
kubectl get svc
NAME                TYPE            CLUSTER-IP      EXTERNAL-IP
hive-metastore      ClusterIP       172.20.x.x      <none>
postgresql          CLusterIP       172.20.x.x      <none>
presto              LoadBalancer    172.20.x.x      xx.xx.xx.xx
hosts file
xx.xx.xx.xx    presto-denodo

We strongly recommended using a certificate issued by a certificate authority (CA) or a private authority in production, instead of the actual one from the Java Keystore: presto/secrets/presto.jks. See how to create a Keystore in Send a Certificate Request to a Certificate Authority (CA) and Create a Keystore with the Reply.

Make sure your new certificate has a single element in the SubjectAlternativeName (SAN) field, as shown below:

SubjectAlternativeName [
    DNSName: *

If you create a new Java Keystore, place it in presto/secrets. The default file name is presto.jks and its default password is sslpassphrase, but if you want to change them you have to edit the following properties in the presto/conf/ file:


Finally, take into account that if the certificate used by the Denodo Embedded MPP is signed by a private authority, or it is self-signed, you have to import this certificate into the truststore of the Denodo servers:

<DENODO_HOME>/jre/bin/keytool -importcert -alias denodo-mpp \
    -file <DENODO_MPP_HOME>/certs/certificate.crt \
    -cacerts -storepass "changeit" -noprompt
Add feedback