Denodo SSL/TLS Configurator Script¶

The SSL/TLS configuration script automates the process of enabling SSL in all the modules of the Denodo Platform and the Solution Manager, including the web container (Apache Tomcat).

This script is located in <DENODO_HOME>/bin/denodo_tls_configurator and it does this:

Generates a keystore with the provided private key (only in some scenarios).
Imports the provided public certificates in the selected truststore.
Modifies all the relevant configuration files.
Performs other auxiliary actions, such as enabling the HTTPS connector and the use of an external SSL/TLS configuration file in the embedded Apache Tomcat.

Important

Execute this script with the same user account with which you will start the Denodo Platform servers.

This is necessary because only the user account that starts the Denodo Platform can have read and write access to the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties; the script denodo_tls_configurator changes the permissions of this file so it is only readable and writeable by the user account that executes this script.

Note that there are some configuration steps that may be required even when using the SSL/TLS configuration script:

Obtaining and Installing an SSL/TLS Certificate: when using a JKS keystore and a CER certificate with the script, you may need to check the following sub-sections:
- Create a Keystore with a Self-Signed Certificate
- Send a Certificate Request to a Certificate Authority (CA) and Create a Keystore with the Reply
Enabling SSL/TLS for External Clients

There are four operation modes available, based on the performed action (enabling or disabling SSL/TLS) and the required input files:

Enable SSL/TLS Using a JKS Keystore and Public Certificates in CER Format
Enable SSL/TLS Using a PKCS #12 Bundle
Enable SSL/TLS Using PEM-Encoded Key and Certificates
Disable SSL/TLS

Before diving into the details of each mode, we are going to explain some common configuration parameters that appear in all or most of the operation modes:

--denodo-home <path>: path to the target Denodo Platform or Denodo Solution Manager installation.
--components component_1,...,component_n: comma-separated list of Denodo components that will be configured (choose between browserpool, license-manager, scheduler, scheduler-index, solution-manager, tomcat, vdp, vdp-admin, verification and wgt). Note that not all the components will be available, depending on the type of target installation (Denodo Platform or Denodo Solution Manager). If --components is not set, all the available components will be configured (this is the recommended approach).
--keystore <path>: path to the JKS keystore to be used by the selected Denodo components. If it does not exist, it will be generated (except when enabling SSL/TLS using a JKS keystore and public certificates in CER format).
Note

This parameter is not required when configuring client applications only. This will happen if:
- The --components option’s value is set and its value contains vdp-admin and/or wgt only.
- The --components option’s value is not set and the target installation includes the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.
--truststore <path>: path to the truststore to be used by the selected Denodo components. This truststore must exist: the script will import all the required certificates into it. For instance, you can use <DENODO_HOME>/jre/lib/security/cacerts.
--credentials-file <path>: Path to a properties file with encrypted values for keystore.password, truststore.password and/or pkcs12bundle.password, as required by the script’s configuration. Encrypted values must be generated with the <DENODO_HOME>/bin/encrypt_password.bat/.sh script.
Credentials file sample¶
```
keystore.password=<encrypted_value>
truststore.password=<encrypted_value>
pkcs12bundle.password=<encrypted_value>
```
--license-manager-uses-tls={true|false}: this parameter is only useful for Denodo Platform installations and will be ignored if the target is a Denodo Solution Manager installation. It must be set to true when the target Denodo Platform installation is configured to connect to a SSL/TLS-enabled License Manager, or to false otherwise. See Configuring the Connection to the License Manager for details.
--override: this parameter overrides previous keystore and truststore configuration, making a backup of the existing files, but only when the script modifies them. An example of a backup of the truststore could be <DENODO_HOME>/jre/lib/security/cacerts.back.20230815123456789.

Also, you can display the script’s help by executing <DENODO_HOME>/bin/denodo_tls_configurator.bat/.sh without parameters.

Enable SSL/TLS Using a JKS Keystore and Public Certificates in CER Format¶

This mode is specially suited for reusing the keystore and certificates of a previous Denodo Platform 7.0 / Denodo Solution Manager 7.0 installation. Also, in Obtaining and Installing an SSL/TLS Certificate you can find how to obtain the JKS and CER files required by this operation mode (either self-signed or by sending a request to a Certificate Authority).

Important

You must use JKS keystores: PKCS12 keystores are not supported.

Syntax for enabling SSL/TLS using a JKS keystore and public certificates in CER format¶

denodo_tls_configurator
    --keystore <path>
    --cert-cer-file <path>
    [ --cert-chain-cer-file <path> ]
    --truststore <path>
    [ --override ]
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>

--keystore <path>: note that in this operation mode, the configured keystore must exist and be in JKS format.

Note

This parameter is not required when configuring the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.
--cert-cer-file <path>: path to a CER file with a certificate that will be imported into the selected truststore. This X.509 certificate must be associated to the private key found in the provided JKS keystore.
--cert-chain-cer-file <path>: path to an optional CER chain file. The chain of certificates will be imported into the selected truststore.

Enable SSL/TLS Using a PKCS #12 Bundle¶

You can use a PKCS #12 bundle as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.

PKCS #12 files may contain different cryptography objects. The PKCS #12 file used to configure a Denodo Platform / Denodo Solution Manager installation must include a private key with its X.509 certificate and all the members of the certificate’s chain of trust (if required).

Syntax for enabling SSL/TLS using a PKCS #12 bundle¶

denodo_tls_configurator
    --pkcs12-file <path>
    --keystore <path>
    --truststore <path>
    [ --override ]
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>

--pkcs12-file <path>: path to a PKCS #12 bundle file (with .p12 or .pfx extension). Its contents will be used for initializing a keystore in the selected path and importing the required public certificates in the selected truststore. The provided PKCS #12 bundle must contain all the required private and public keys. The file’s password must be provided as the value of the pkcs12bundle.password property in the configured credentials file.

Enable SSL/TLS Using PEM-Encoded Key and Certificates¶

You can use PEM-encoded files as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.

Syntax for enabling SSL/TLS using PEM-encoded key and certificates¶

denodo_tls_configurator
    --keystore <path>
    --key-pem-file <path>
    --cert-pem-file <path>
    [ --cert-chain-pem-files <path_1>,...,<path_n> ]
    --truststore <path>
    [ --override ]
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>

--key-pem-file <path>: path to a file with a PEM-encoded, unencrypted RSA private key that will be used to initialize a keystore in the selected keystore path.
PEM-encoded, unencrypted private key¶
```
-----BEGIN RSA PRIVATE KEY-----
MIIE1111AKCAQEAzkMYu2hUwJabbbQRVkxnZJ0dddd8SWUJVJxkj+iGJWwXZU7Z
[...]
k9mAGNOsS3kgoBnlvERsbpFggggIQ+cWKWW7777O03srpd2vF09876==
-----END RSA PRIVATE KEY-----
```
--cert-pem-file <path>: path to a file with a PEM-encoded public X.509 certificate that will be imported into the selected truststore. This certificate must be associated to the provided private key.
PEM-encoded public certificate¶
```
-----BEGIN CERTIFICATE-----
MIIFUjCCA1234567AgICEAEwDQY1234567cNAQELBQAwaj55555GA1UEBhhhhhhh
[...]
aaaFYgEPIE3bbbNV5114XccccyX4Rw==
-----END CERTIFICATE-----
```
--cert-chain-pem-files <path_1>,...,<path_n>: optional list of paths to PEM-encoded files with a public certificate chain that will be imported into the selected truststore. These files can contain individual certificates of the chain or a concatenation of certificates.

Disable SSL/TLS¶

You can disable SSL/TLS in the target Denodo Platform or Denodo Solution Manager installation by using this syntax:

Syntax for disabling SSL/TLS¶

denodo_tls_configurator
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --disable-tls
    --denodo-home <path>

USER MANUALS

Denodo SSL/TLS Configurator Script¶

Enable SSL/TLS Using a JKS Keystore and Public Certificates in CER Format¶

Enable SSL/TLS Using a PKCS #12 Bundle¶

Enable SSL/TLS Using PEM-Encoded Key and Certificates¶

Disable SSL/TLS¶