Enabling SSL/TLS in Denodo Platform Servers¶
Note
Consider checking the Denodo SSL/TLS Configurator Script before following the steps detailed in this section. The script can perform these steps for you.
Follow these steps to secure with SSL/TLS the incoming connections with the servers of a Denodo Platform installation.
By doing this, the communications between the Denodo servers and its administration tools, and between the Denodo servers and its clients (JDBC and ODBC applications) will be encrypted.
Stop all the Denodo servers of this installation.
Open the configuration files of the servers whose connections have to be secured:
Virtual DataPort server |
<DENODO_HOME>/conf/vdp/VDBConfiguration.properties |
Scheduler server |
<DENODO_HOME>/conf/scheduler/ConfigurationParameters.properties |
Scheduler Index server |
<DENODO_HOME>/conf/arn-index/ConfigurationParameters.properties |
In all the files opened in the previous step, uncomment the following properties and change their values:
com.denodo.security.ssl.enabled |
Set to |
com.denodo.security.ssl.keyStore |
Path to the KeyStore that contains the private key for the Denodo Platform servers. E.g. Even if the Denodo servers run on Windows, the path separator
has to be the forward slash ( |
com.denodo.security.ssl. keyStorePassword.secret |
Password of the KeyStore that contains the private key for the Denodo Platform servers (this file is always password protected). This property can store this password in plain text or encrypted. We
recommend encrypting it. To encrypt it, execute
|
com.denodo.security.ssl.trustStore com.denodo.security.ssl. trustStorePassword.secret |
Leave these three properties commented. |
Additional Information about the TrustStore (cacerts file)
By leaving the properties com.denodo.security.ssl.trustStore
and com.denodo.security.ssl.trustStorePassword.secret
commented on these files, these modules will use the default TrustStore of the installation (<DENODO_HOME>/jre/lib/security/cacerts
).
It is possible to configure the Denodo servers to use a TrustStore that is not the default one. However, we do not recommend doing so and that you go to the next section. The main reason to use the default TrustStore is that it makes the configuration of the Denodo servers easier.
In case you want to do it, uncomment the following properties in the configuration files listed above:
com.denodo.security.ssl.trustStore
= Path to the TrustStore.For example,
com.denodo.security.ssl.trustStore=<DENODO_HOME>/jre/lib/security/cacerts
Even if the Denodo servers run on Windows, the path separator has to be the forward slash (
/
).com.denodo.security.ssl.trustStorePassword.secret
= Password of the TrustStore. The default password of the TrustStore (<DENODO_HOME>/jre/lib/security/cacerts
) ischangeit
. The value of the password can be stored as clear text or encrypted. To obtain a valid encrypted value, use the{<DENODO_HOME>}/bin/encrypt_password
script and prefix it withencrypted:
.