Denodo SSL/TLS Configurator Script¶
The SSL/TLS configuration script automates the process of enabling SSL in all the modules of the Denodo Platform and the Solution Manager, including the web container (Apache Tomcat).
This script is located in <DENODO_HOME>/bin/denodo_tls_configurator
and it does this:
Generates a keystore with the provided private key (only in some scenarios).
Imports the provided public certificates in the selected truststore.
Modifies all the relevant configuration files.
Performs other auxiliary actions, such as enabling the HTTPS connector and the use of an external SSL/TLS configuration file in the embedded Apache Tomcat.
Important
Execute this script with the same user account with which you will start the Denodo Platform servers.
This is necessary because only the user account that starts the Denodo Platform can have read and write access to the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties
; the script denodo_tls_configurator changes the permissions of this file so it is only readable and writeable by the user account that executes this script.
Note that there are some configuration steps that may be required even when using the SSL/TLS configuration script:
Obtaining and Installing an SSL/TLS Certificate: when using a PKCS12 keystore and a CER certificate with the script, you may need to check the following sub-sections:
There are four operation modes available, based on the performed action (enabling or disabling SSL/TLS) and the required input files:
Before diving into the details of each mode, we are going to explain some common configuration parameters that appear in all or most of the operation modes:
--denodo-home <path>
: path to the target Denodo Platform or Denodo Solution Manager installation.--components component_1,...,component_n
: comma-separated list of Denodo components that will be configured (choose betweenlicense-manager
,scheduler
,scheduler-index
,solution-manager
,tomcat
,vdp
andvdp-admin
). Note that not all the components will be available, depending on the type of target installation (Denodo Platform or Denodo Solution Manager). If--components
is not set, all the available components will be configured (this is the recommended approach).--keystore <path>
: path to the PKCS12 keystore to be used by the selected Denodo components. If it does not exist, it will be generated (except when enabling SSL/TLS using a PKCS12 keystore and public certificates in CER format).Note
This parameter is not required when configuring client applications only. This will happen if:
The
--components
option’s value is set and its value containsvdp-admin
and/orwgt
only.The
--components
option’s value is not set and the target installation includes the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.
--truststore <path>
: path to the truststore to be used by the selected Denodo components. This truststore must exist: the script will import all the required certificates into it. For instance, you can use<DENODO_HOME>/jre/lib/security/cacerts
.--credentials-file <path>
: Path to a properties file with encrypted values forkeystore.password
,truststore.password
and/orpkcs12bundle.password
, as required by the script’s configuration. Encrypted values must be generated with the<DENODO_HOME>/bin/encrypt_password.bat/.sh
script.keystore.password=<encrypted_value> truststore.password=<encrypted_value> pkcs12bundle.password=<encrypted_value>
--license-manager-uses-tls={true|false}
: this parameter is only useful for Denodo Platform installations and will be ignored if the target is a Denodo Solution Manager installation. It must be set totrue
when the target Denodo Platform installation is configured to connect to a SSL/TLS-enabled License Manager, or tofalse
otherwise. See Configuring the Connection to the License Manager for details.--override
: this parameter overrides previous keystore and truststore configuration, making a backup of the existing files, but only when the script modifies them. An example of a backup of the truststore could be<DENODO_HOME>/jre/lib/security/cacerts.back.20230815123456789
.
Also, you can display the script’s help by executing
<DENODO_HOME>/bin/denodo_tls_configurator.bat/.sh
without parameters.
Enable SSL/TLS Using a PKCS12 Keystore and Public Certificates in CER Format¶
This mode is specially suited for reusing the keystore and certificates of a previous Denodo Platform 7.0 / Denodo Solution Manager 7.0 installation. Also, in Obtaining and Installing an SSL/TLS Certificate you can find how to obtain the PKCS12 and CER files required by this operation mode (either self-signed or by sending a request to a Certificate Authority).
denodo_tls_configurator
--keystore <path>
--cert-cer-file <path>
[ --cert-chain-cer-file <path> ]
--truststore <path>
[ --override ]
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--credentials-file <path>
--denodo-home <path>
--keystore <path>
: note that in this operation mode, the configured keystore must exist and be in PKCS12 format.Note
This parameter is not required when configuring the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.
--cert-cer-file <path>
: path to a CER file with a certificate that will be imported into the selected truststore. This X.509 certificate must be associated to the private key found in the provided PKCS12 keystore.--cert-chain-cer-file <path>
: path to an optional CER chain file. The chain of certificates will be imported into the selected truststore.
Enable SSL/TLS Using a PKCS #12 Bundle¶
You can use a PKCS #12 bundle as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.
PKCS #12 files may contain different cryptography objects. The PKCS #12 file used to configure a Denodo Platform / Denodo Solution Manager installation must include a private key with its X.509 certificate and all the members of the certificate’s chain of trust (if required).
denodo_tls_configurator
--pkcs12-file <path>
--keystore <path>
--truststore <path>
[ --override ]
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--credentials-file <path>
--denodo-home <path>
--pkcs12-file <path>
: path to a PKCS #12 bundle file (with .p12 or .pfx extension). Its contents will be used for initializing a keystore in the selected path and importing the required public certificates in the selected truststore. The provided PKCS #12 bundle must contain all the required private and public keys. The file’s password must be provided as the value of thepkcs12bundle.password
property in the configured credentials file.
Enable SSL/TLS Using PEM-Encoded Key and Certificates¶
You can use PEM-encoded files as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.
denodo_tls_configurator
--keystore <path>
--key-pem-file <path>
--cert-pem-file <path>
[ --cert-chain-pem-files <path_1>,...,<path_n> ]
--truststore <path>
[ --override ]
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--credentials-file <path>
--denodo-home <path>
--key-pem-file <path>
: path to a file with a PEM-encoded, unencrypted RSA private key that will be used to initialize a keystore in the selected keystore path.-----BEGIN RSA PRIVATE KEY----- MIIE1111AKCAQEAzkMYu2hUwJabbbQRVkxnZJ0dddd8SWUJVJxkj+iGJWwXZU7Z [...] k9mAGNOsS3kgoBnlvERsbpFggggIQ+cWKWW7777O03srpd2vF09876== -----END RSA PRIVATE KEY-----
--cert-pem-file <path>
: path to a file with a PEM-encoded public X.509 certificate that will be imported into the selected truststore. This certificate must be associated to the provided private key.-----BEGIN CERTIFICATE----- MIIFUjCCA1234567AgICEAEwDQY1234567cNAQELBQAwaj55555GA1UEBhhhhhhh [...] aaaFYgEPIE3bbbNV5114XccccyX4Rw== -----END CERTIFICATE-----
--cert-chain-pem-files <path_1>,...,<path_n>
: optional list of paths to PEM-encoded files with a public certificate chain that will be imported into the selected truststore. These files can contain individual certificates of the chain or a concatenation of certificates.
Disable SSL/TLS¶
You can disable SSL/TLS in the target Denodo Platform or Denodo Solution Manager installation by using this syntax:
denodo_tls_configurator
[ --license-manager-uses-tls={true|false} ]
[ --components component_1,...,component_n ]
--disable-tls
--denodo-home <path>