USER MANUALS

Enabling SSL/TLS in Solution Manager Servers

Important

After enabling SSL/TLS on the Solution Manager, you need to:

  • Change the configuration of all the Denodo servers that connect to this installation. This is to indicate they have to use SSL/TLS to connect to the Solution Manager.

  • If in the Automated Cloud Mode configuration there is a value for Solution Manager Administration Tool port, update the value to the corresponding SSL port.

  • Recreate the automated clusters.

Important

In Linux, only processes that are started by the root user can listen to connections on ports below 1024.

To overcome this limitation, you can use iptables to redirect the incoming traffic from port 443 (default HTTPS port) to 9443, and from 80 (default HTTP port) to 9090. Alternatively, you can start the Solution Manager with the root account.

Take this into account when changing the default ports of the embedded Apache Tomcat.

Note

Consider checking the Denodo SSL/TLS Configurator Script before following the steps detailed in this section. The script can perform these steps for you.

Follow these steps to secure with SSL/TLS the incoming connections to the servers of a Solution Manager installation and HTTPS on the web container.

By doing this, the communications between the Solution Manager servers and their administration tools, and between the Solution Manager servers and its clients will be encrypted.

  1. Stop all the components of the Solution Manager. The goal is to stop the web container. It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Diagnostic & Monitoring Tool started, the web container will not shut down and the changes in the file tomcat.properties will not take effect.

  2. Edit the file <SOLUTION_MANAGER_HOME>/conf/vdp/VDBConfiguration.properties. Uncomment the following properties and change their values:

com.denodo.security.ssl.enabled

Set to true

com.denodo.security.ssl.keyStore

Path to the KeyStore that contains the private key for the Solution Manager. You can use the same one you use on the installations of the Denodo Platform.

E.g. C:/DenodoSolutionManager/denodo_server_key_store.jks

Even if the Solution Manager runs on Windows, the path separator has to be the forward slash (/).

com.denodo.security.ssl.keyStorePassword. secret

Password of the KeyStore that contains the private key of the Solution Manager (this file is always password protected).

This property can store this password in plain text or encrypted. We recommend encrypting it. To encrypt it, execute {<DENODO_HOME>}/bin/encrypt_password. You will have to enter the password of the keystore. Then, copy the output of this tool to this property.

If you set this property with an encrypted value, it must be preceded by the prefix encrypted:.

com.denodo.security.ssl.trustStore

com.denodo.security.ssl. trustStorePassword.secret

Leave these properties commented.

  1. Edit these files:

    1. <SOLUTION_MANAGER_HOME>/conf/solution-manager/SMConfigurationParameters.properties

    2. <SOLUTION_MANAGER_HOME>/conf/license-manager/LMConfigurationParameters.properties

    In these files, uncomment the following properties and change their values:

server.ssl.key-store

Path to the KeyStore that contains the private key for the Solution Manager servers. You can use the same keystore you use in the Virtual DataPort servers.

E.g. C:/DenodoSolutionManager/denodo_server_key_store.jks

Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

server.ssl.key-store-password.secret

Password of the KeyStore that contains the private key of the Solution Manager (this file is always password protected).

This property can store this password in plain text or encrypted. We recommend encrypting it. To encrypt it, execute {<DENODO_HOME>}/bin/encrypt_password. You will have to enter the password of the keystore. Then, copy the output of this tool to this property.

If you set this property with an encrypted value, it must be preceded by the prefix encrypted:.

com.denodo.security.ssl.trustStore

com.denodo.security.ssl. trustStorePassword.secret

Leave these properties commented.

  1. Edit the file <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/conf/tomcat.properties. Uncomment the following properties and set their value:

com.denodo.tomcat.http.port

If you want to disable HTTP and only allow HTTPS connections, comment this property.

If you want to allow HTTP and HTTPS, leave this property as is.

com.denodo.tomcat.https.port

Port listening to HTTPS connections. Check that this port is free in this host.

If you want clients to access the HTTPs interface without having to put the port in the URL, set this to 443 instead of 19443. That way, the user will be able to access the HTTPs interface with a URL like https://denodo-server.acme.com/denodo-restfulws instead of https://denodo-server.acme.com:19443/denodo-restfulws.

Note that in Linux, processes that are not started by the root user cannot listen on ports under 1024. However, it is possible, using iptables, to redirect the data to port 443 to the port 19443.

com.denodo.security.ssl.enabled

Set to true

com.denodo.security.ssl.keyStore

Path to the KeyStore that contains the certificate for the Solution Manager.

For example, com.denodo.security.ssl.keyStore= C:/DenodoSolutionManager/denodo_server_key_store.jks

Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

com.denodo.security.ssl.keyStorePassword. secret

Password of the KeyStore that contains the certificate for the Solution Manager. The value of the password can be stored as clear text or encrypted. To obtain a valid encrypted value, use the {<DENODO_HOME>}/bin/encrypt_password script.

If you set this property with an encrypted value, it must be preceded by the prefix encrypted:.

com.denodo.security.ssl.trustStore

com.denodo.security.ssl. trustStorePassword.secret

Leave these properties commented.

com.denodo.rmi.connection.tlsProtocol

Optional property to set one specific TLS version (TLSv1.1, TLSv1.2, TLSv1.3…) for the communications between the applications running under Tomcat and the VDP Server. Note that the available versions of the protocol may be affected by the JVM’s own configuration.

  1. Edit the file <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/conf/server.xml

    1. Uncomment the SSL connector. I.e. Search the “Connector” element that contains SSLEnabled="true" and remove the <!-- and --> characters that surround it.

    2. To disable the access through HTTP and only allow HTTPs connections, comment the “Connector” element that contains port=”${com.denodo.tomcat.http.port}” with <!-- and -->. For example,

<!--
  <Connector port="${com.denodo.tomcat.http.port}"
             protocol="HTTP/1.1"
             maxThreads="150"
             minSpareThreads="25"
             redirectPort="${com.denodo.tomcat.https.port}"
             connectionTimeout="20000"
             URIEncoding="UTF-8"
             compression="on"
             compressionMinSize="1024"
             noCompressionUserAgents="gozilla, traviata"
             compressableMimeType="text/html,text/xml,application/json,application/xml,text/css,text/javascript,application/javascript" />
-->

Check the documentation of Apache Tomcat to know how to change the default SSL/TLS settings of the web container: to limit the ciphers, enable client authentication, etc.

  1. When enabling TLS/SSL on Tomcat, a user that can connect to the host where the Solution Manager servers runs, with the user account with which you launch the Solution Manager servers, will be able to see the password of the keystore, in the list of running processes. That is because by default, this password is passed as a parameter to the script that starts the web container.

    To avoid this (i.e. adding this password to the command line of Tomcat), follow these steps:

    Important

    This is a mandatory step, otherwise Tomcat will not start.

    1. Check that the file <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/conf/jmxssl.properties exists. If it does not, create it and leave it empty.

    2. Edit the file <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/conf/tomcat.properties and uncomment the property com.denodo.security.management.jmxremote.ssl.config.file. Only uncomment the property, leave the default value as is (i.e. <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/conf/jmxssl.properties).

    3. Change the privileges of the file <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/conf/jmxssl.properties so it can only be read and written by the same user account that starts the Denodo servers.

      To do this, execute these commands:

      • On Linux, run the following from the user account that starts the Denodo servers:

      chmod 600 <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/conf/jmxssl.properties
      
      • On Windows, right-click the icon Command Prompt of the Windows menu and click Run as administrator.

        Run the following commands (replace <denodo_user> with the user account with which the Denodo servers are started):

      cd <SOLUTION_MANAGER_HOME>\resources\apache-tomcat\conf\
      icacls jmxssl.properties /setowner <denodo_user>
      icacls jmxssl.properties /grant <denodo_user>:(GR,GW)
      icacls jmxssl.properties /inheritance:r
      

      If you do not change these privileges, the web container will not start.

  2. Edit the file <SOLUTION_MANAGER_HOME>/conf/solution-manager-web-tool/SMAdminConfiguration.properties.

    • Change the value of the property com.denodo.solutionmanager.security.ssl.enabled to true.

    • Update the value of the property com.denodo.solutionmanager.host with the hostname of the machine to match with the SSL certificate’s SubjectAlternativeName (SAN).

  3. Start the Denodo Platform servers.

    It is important to stop them all before any change (step #1) so the Denodo web container is stopped as well.

  4. To check that HTTPs was enabled successfully, start the Solution Manager Administration Tool and all the other modules. Then, go to https://denodo-solution-manager.acme.com:19443/solution-manager-web-tool and log in. (19443 is the default value of the property com.denodo.tomcat.https.port).

Additional Information about the TrustStore (cacerts file)

By leaving the properties com.denodo.security.ssl.trustStore and com.denodo.security.ssl.trustStorePassword.secret commented on these files, these modules will use the default TrustStore of the installation (<SOLUTION_MANAGER_HOME>/jre/lib/security/cacerts).

It is possible to configure the Solution Manager to use a TrustStore that is not the default one. However, we advise against doing so because it makes the configuration of the Solution Manager harder. In case you want to do it, follow these steps:

  1. Open the file <SOLUTION_MANAGER_HOME>/conf/solution-manager/SMConfigurationParameters.properties.

  2. Uncomment the property com.denodo.security.ssl.trustStore and set it to path to the TrustStore. For example:

    com.denodo.security.ssl.trustStore=C:/settings/my_external_cacerts_file
    

    Even if the Solution Manager run on Windows, the path separator has to be the forward slash (/).

  3. Uncomment the property com.denodo.security.ssl.trustStorePassword.secret and set it to the password of the TrustStore. You can put this password in clear text or encrypted, but if encrypted its value must be preceded by the prefix encrypted:. To obtain the encrypted value of the password, execute the script {<DENODO_HOME>}/bin/encrypt_password.

    If you set this property with an encrypted value, you also have to do step #6 (see above) if you have not done it yet. Otherwise, Tomcat will not start.

  4. Edit the file <SOLUTION_MANAGER_HOME>/conf/solution-manager/denodo-monitor/ConfigurationParametersGeneral.template, uncomment the property com.denodo.security.ssl.trustStore and set it to the TrustStore you want to use. For example:

    com.denodo.security.ssl.trustStore=c:/settings/my_external_cacerts_file
    
Add feedback