USER MANUALS

Enabling HTTPS in the Embedded Apache Tomcat

Important

In Linux, only processes that are started by the root user can listen to connections on ports below 1024.

To overcome this limitation, you can use iptables to redirect the incoming traffic from port 443 (default HTTPS port) to 9443, and from 80 (default HTTP port) to 9090. Alternatively, you can start the Denodo Platform servers with the root account.

Take this into account when changing the default ports of the embedded Apache Tomcat.

Note

Consider checking the Denodo SSL/TLS Configurator Script before following the steps detailed in this section. The script can perform these steps for you.

The Denodo Platform embeds the Apache Tomcat web container to host its web applications and web services. The communications between clients and the web applications running in the Apache Tomcat embedded in the Denodo Platform can be secured with HTTPS. The applications running in this web container are:

  • Scheduler Administration Tool

  • Web Services published using Virtual DataPort

  • Data Catalog

  • Diagnostic & Monitoring Tool

To enable HTTPS, do the following:

  1. Stop all the Denodo servers of this installation. The goal is to stop the web container of Denodo. It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Data Catalog started, the web container will not shut down and the changes in the file tomcat.properties will not take effect even if you restart the other components of Denodo.

  2. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties.

    Uncomment the following properties and set their value:

com.denodo.tomcat.http.port

Port listening to HTTP - not HTTPS - connections. Check that this port is available in this host.

To disable HTTP and only allow HTTPS, comment this property.

To allow HTTP and HTTPS, leave this property uncommented.

If you want users to access the HTTP interface - not HTTPS - without having to put the port in the URL, set this 80 instead of 9090. That way, the user will be able to access the web container interface with a URL like http://denodo-server.acme.com/denodo-restfulws instead of http://denodo-server.acme.com:9090/denodo-restfulws.

See the note below this table.

com.denodo.tomcat.https.port

Port listening to HTTPS connections. Check that this port is free in this host.

If you want users to access the HTTPs interface without having to put the port in the URL, set this to 443 instead of 9443. That way, the user will be able to access the HTTPs interface with a URL like https://denodo-server.acme.com/denodo-restfulws instead of https://denodo-server.acme.com:9443/denodo-restfulws.

See the note below this table.

com.denodo.security.ssl.enabled

Set to true

com.denodo.security.ssl.keyStore

Path to the KeyStore file that contains the private key for the Denodo Platform servers.

For example, com.denodo.security.ssl.keyStore= C:/denodo/denodo_server_key_store.p12

Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

com.denodo.security.ssl. keyStorePassword.secret

Password of the KeyStore that contains the private key for the Denodo Platform servers (this file is always password protected).

This property can store this password in plain text or encrypted. We recommend encrypting it. To encrypt it, execute {<DENODO_HOME>}/bin/encrypt_password. You will have to enter the password of the keystore. Then, copy the output of this tool to this property preceded by the prefix encrypted:.

com.denodo.security.ssl.trustStore

com.denodo.security.ssl. trustStorePassword.secret

Leave these properties commented.

com.denodo.rmi.connection.tlsProtocol

Add this property and set it to TLSv1.1, TLSv1.2, TLSv1.3… in case you require using a specific version of the TLS protocol for the communications between the applications running under Tomcat and the VDP Server. Note that the available versions of the protocol may be affected by the JVM’s own configuration.

Important

It is mandatory to enable the use of an external SSL/TLS configuration file when setting an encrypted value for com.denodo.security.ssl.keyStorePassword.secret or com.denodo.security.ssl.trustStorePassword.secret. See step #5 for details.

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/server.xml

    1. Uncomment the SSL connector. I.e. Search the “Connector” element that contains SSLEnabled="true" and remove the <-- and --> characters that surround it.

    2. To disable the access through HTTP and only allow HTTPs connections, comment the “Connector” element that contains port=”${com.denodo.tomcat.http.port}” with <-- and -->. For example,

<!--
  <Connector port="${com.denodo.tomcat.http.port}"
             protocol="HTTP/1.1"
             maxThreads="150"
             minSpareThreads="25"
             redirectPort="${com.denodo.tomcat.https.port}"
             connectionTimeout="20000"
             URIEncoding="UTF-8"
             compression="on"
             compressionMinSize="1024"
             noCompressionUserAgents="gozilla, traviata"
             compressableMimeType="text/html,text/xml,application/json,application/xml,text/css,text/javascript,application/javascript" />
-->

Check the documentation of Apache Tomcat to know how to change the default SSL/TLS settings of the web container: to limit the ciphers, enable client authentication, etc.

  1. Check if the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties exists. If it does not, create it and leave it empty.

  2. When enabling TLS/SSL on the Tomcat, a user that can connect to the host where the Denodo servers run, with the user account with which you launch the Denodo servers, will be able to see the password of the keystore, in the list of running processes. That is because by default, this password is passed as a parameter to the script that starts the web container.

    To avoid this (i.e. adding this password to the command line of Tomcat), follow these steps:

    1. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties and uncomment the property com.denodo.security.management.jmxremote.ssl.config.file. Only uncomment the property, leave the default value as is (i.e. <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties).

    2. Change the privileges of the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties so it can only be read and written by the same user account that starts the Denodo servers.

      If you do not change these privileges, the web container will not start.

      If you are going to launch the Denodo components as Windows services, configure these services to run with the user account that is the owner of the file “jmxssl.properties”. The section Configure Windows Services explains how to do this.

      To change the privileges, execute these commands:

      • On Linux, run the following from the user account that starts the Denodo servers:

      chmod 600 <DENODO_HOME>/resources/apache-tomcat/conf/jmxssl.properties
      
      • On Windows, right-click the icon Command Prompt of the Windows menu and click Run as administrator. Then, execute these commands:

      cd <DENODO_HOME>\resources\apache-tomcat\conf\
      icacls jmxssl.properties /setowner <denodo user>
      icacls jmxssl.properties /reset
      icacls jmxssl.properties /inheritance:r /grant:r <denodo user>:(GR,GW)
      

      For example:

      icacls jmxssl.properties /setowner CONTOSO\jsmith
      icacls jmxssl.properties /reset
      icacls jmxssl.properties /inheritance:r /grant:r CONTOSO\jsmith:(GR,GW)
      
  3. Start the Denodo servers you use.

  4. To check that HTTPS was enabled successfully, open the URL https://denodo-server.acme.com:9443/denodo-restfulws/admin (9443 is the default value of the property com.denodo.tomcat.https.port).

Enabling HTTPS on the Web Container but not in the Virtual DataPort Server

You can enable HTTPS on the web container without enabling TLS/SSL in the Virtual DataPort server. If you did not enable SSL/TLS on the Virtual DataPort server, comment the property com.denodo.security.ssl.enabled of the file tomcat.properties.

Additional Information about the TrustStore (cacerts file)

On the file tomcat.properties, we recommend leaving the properties com.denodo.security.ssl.trustStore and com.denodo.security.ssl.trustStorePassword.secret commented. That way, the web container uses the default TrustStore of the installation (i.e. <DENODO_HOME>/jre/lib/security/cacerts).

It is possible to configure the Denodo web container to use a TrustStore that is not the default one. However, we advise against doing so because it makes the management of the Denodo servers harder as you have to maintain a new TrustStore file. In case you want to do it, uncomment these properties on the file tomcat.properties:

  • com.denodo.security.ssl.trustStore = Path to the TrustStore.

    For example, com.denodo.security.ssl.trustStore=c:/denodo/custom_cacerts

    Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

  • com.denodo.security.ssl.trustStorePassword.secret = Password of the TrustStore. The default password of a TrustStore is changeit. The value of the password can be stored as clear text or encrypted. To obtain a valid encrypted value, use the {<DENODO_HOME>}/bin/encrypt_password script and append it with the encrypted: prefix.

Add feedback