Enable SSL/TLS in the Denodo Platform

This section explains how to secure with SSL (TLS) the connections between the Denodo Platform servers, their administration tools and their clients.

Although in this document we will refer to SSL, you are actually enabling the encryption protocol TLS (Transport Layer Security), which is the successor of SSL.

SSL requires configuring certificate repositories. There are two types of certificate repositories:

  • KeyStore

  • TrustStore


An application that listens to incoming SSL connections needs a public key and a private key in order to allow clients to access the server. In Java, these keys are stored in a repository called KeyStore.


During the initialization of an SSL connection, the server sends its SSL certificate to the client. The client must then decide if it trusts this or not. To do this, the client checks if the certificate has been signed by a trusted certification authority (CA). The TrustStore is a repository of the certificates of trusted certification authorities.

Every Java installation comes with a TrustStore that the JRE uses by default (<DENODO_HOME>/jre/lib/security/cacerts file). If the server’s certificate is not signed by a trusted authority (i.e. one that is not registered in the Java’s TrustStore), you have to store the certificate of the authority, which has to be stored in the cacerts file of the Java Runtime Environment (JRE) used to launch the Denodo Platform servers and their tools (<DENODO_HOME>/jre/lib/security/cacerts).

The Java Runtime Environment (JRE) included with the Denodo Platform has a utility called keytool that manages the Certificate Repositories.

Denodo Platform also includes a script that can automate most of the configuration required for enabling SSL/TLS. The section Denodo SSL/TLS Configurator Script explains how to use it.

The following sections explain how to configure SSL/TLS across Denodo Platform and its external clients:

SSL/TLS Versions Supported by the Denodo Platform Servers

When SSL (TLS) is enabled on the Denodo servers, the version of TLS used depends on the configuration on the components involved in the communication. Although for clarity purposes we refer to this as SSL, SSL is not actually used, only TLS.

The Denodo Platform supports the following encryption protocols for the traffic between Denodo servers and other components: TLSv1.3, TLSv1.2 and TLSv1.1.

Add feedback