Denodo SSL/TLS Configurator Script¶
The SSL/TLS configuration script automates the process of enabling SSL in all the modules of the Denodo Platform and the Solution Manager, including the web container (Apache Tomcat).
This script is located in <DENODO_HOME>/bin/denodo_tls_configurator
and it does this:
Generates a keystore with the provided private key (only in some scenarios).
Imports the provided public certificates in the selected truststore.
Modifies all the relevant configuration files.
Performs other auxiliary actions, such as enabling the HTTPS connector and the use of an external SSL/TLS configuration file in the embedded Apache Tomcat.
Important
Execute this script with the same user account with which you will start the Denodo Platform servers.
This is necessary because only the user account that starts the Denodo Platform can have read and write access to the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties
; the script denodo_tls_configurator changes the permissions of this file so it is only readable and writeable by the user account that executes this script.
Note that there are some configuration steps that may be required even when using the SSL/TLS configuration script:
Obtaining and Installing an SSL/TLS Certificate: when using a JKS keystore and a CER certificate with the script, you may need to check the following sub-sections:
There are four operation modes available, based on the performed action (enabling or disabling SSL/TLS) and the required input files:
Before diving into the details of each mode, we are going to explain some common configuration parameters that appear in all or most of the operation modes:
--denodo-home <path>
: path to the target Denodo Platform or Denodo Solution Manager installation.--components component_1,...,component_n
: comma-separated list of Denodo components that will be configured (choose betweenbrowserpool
,license-manager
,scheduler
,scheduler-index
,solution-manager
,tomcat
,vdp
,vdp-admin
,verification
andwgt
). Note that not all the components will be available, depending on the type of target installation (Denodo Platform or Denodo Solution Manager). If--components
is not set, all the available components will be configured (this is the recommended approach).--keystore <path>
: path to the JKS keystore to be used by the selected Denodo components. If it does not exist, it will be generated (except when enabling SSL/TLS using a JKS keystore and public certificates in CER format).Note
This parameter is not required when configuring client applications only. This will happen if:
The
--components
option’s value is set and its value containsvdp-admin
and/orwgt
only.The
--components
option’s value is not set and the target installation includes the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.
--truststore <path>
: path to the truststore to be used by the selected Denodo components. This truststore must exist: the script will import all the required certificates into it. For instance, you can use<DENODO_HOME>/jre/lib/security/cacerts
.--credentials-file <path>
: Path to a properties file with encrypted values forkeystore.password
,truststore.password
and/orpkcs12bundle.password
, as required by the script’s configuration. Encrypted values must be generated with the<DENODO_HOME>/bin/encrypt_password.bat/.sh
script.Credentials file sample¶keystore.password=<encrypted_value> truststore.password=<encrypted_value> pkcs12bundle.password=<encrypted_value>
--license-manager-uses-tls={true|false}
: this parameter is only useful for Denodo Platform installations and will be ignored if the target is a Denodo Solution Manager installation. It must be set totrue
when the target Denodo Platform installation is configured to connect to a SSL/TLS-enabled License Manager, or tofalse
otherwise. See Configuring the Connection to the License Manager for details.
Also, you can display the script’s help by executing
<DENODO_HOME>/bin/denodo_tls_configurator.bat/.sh
without parameters.
Enable SSL/TLS Using a JKS Keystore and Public Certificates in CER Format¶
This mode is specially suited for reusing the keystore and certificates of a previous Denodo Platform 7.0 / Denodo Solution Manager 7.0 installation. Also, in Obtaining and Installing an SSL/TLS Certificate you can find how to obtain the JKS and CER files required by this operation mode (either self-signed or by sending a request to a Certificate Authority).
Important
You must use JKS keystores: PKCS12 keystores are not supported.
denodo_tls_configurator
--keystore <path>
--cert-cer-file <path>
[ --cert-chain-cer-file <path> ]
--truststore <path>
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--credentials-file <path>
--denodo-home <path>
--keystore <path>
: note that in this operation mode, the configured keystore must exist and be in JKS format.Note
This parameter is not required when configuring the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.
--cert-cer-file <path>
: path to a CER file with a certificate that will be imported into the selected truststore. This X.509 certificate must be associated to the private key found in the provided JKS keystore.--cert-chain-cer-file <path>
: path to an optional CER chain file. The chain of certificates will be imported into the selected truststore.
Enable SSL/TLS Using a PKCS #12 Bundle¶
You can use a PKCS #12 bundle as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.
PKCS #12 files may contain different cryptography objects. The PKCS #12 file used to configure a Denodo Platform / Denodo Solution Manager installation must include a private key with its X.509 certificate and all the members of the certificate’s chain of trust (if required).
denodo_tls_configurator
--pkcs12-file <path>
--keystore <path>
--truststore <path>
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--credentials-file <path>
--denodo-home <path>
--pkcs12-file <path>
: path to a PKCS #12 bundle file (with .p12 or .pfx extension). Its contents will be used for initializing a keystore in the selected path and importing the required public certificates in the selected truststore. The provided PKCS #12 bundle must contain all the required private and public keys. The file’s password must be provided as the value of thepkcs12bundle.password
property in the configured credentials file.
Enable SSL/TLS Using PEM-Encoded Key and Certificates¶
You can use PEM-encoded files as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.
denodo_tls_configurator
--keystore <path>
--key-pem-file <path>
--cert-pem-file <path>
[ --cert-chain-pem-files <path_1>,...,<path_n> ]
--truststore <path>
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--credentials-file <path>
--denodo-home <path>
--key-pem-file <path>
: path to a file with a PEM-encoded, unencrypted RSA private key that will be used to initialize a keystore in the selected keystore path.PEM-encoded, unencrypted private key¶-----BEGIN RSA PRIVATE KEY----- MIIE1111AKCAQEAzkMYu2hUwJabbbQRVkxnZJ0dddd8SWUJVJxkj+iGJWwXZU7Z [...] k9mAGNOsS3kgoBnlvERsbpFggggIQ+cWKWW7777O03srpd2vF09876== -----END RSA PRIVATE KEY-----
--cert-pem-file <path>
: path to a file with a PEM-encoded public X.509 certificate that will be imported into the selected truststore. This certificate must be associated to the provided private key.PEM-encoded public certificate¶-----BEGIN CERTIFICATE----- MIIFUjCCA1234567AgICEAEwDQY1234567cNAQELBQAwaj55555GA1UEBhhhhhhh [...] aaaFYgEPIE3bbbNV5114XccccyX4Rw== -----END CERTIFICATE-----
--cert-chain-pem-files <path_1>,...,<path_n>
: optional list of paths to PEM-encoded files with a public certificate chain that will be imported into the selected truststore. These files can contain individual certificates of the chain or a concatenation of certificates.
Disable SSL/TLS¶
You can disable SSL/TLS in the target Denodo Platform or Denodo Solution Manager installation by using this syntax:
denodo_tls_configurator
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--disable-tls
--denodo-home <path>