SSL/TLS¶
The Denodo Embedded MPP is shipped with a Java Keystore, presto/secrets/presto.jks
, that contains a self-signed certificate,
certs/certificate.crt
, which is distributed for testing purposes ONLY.
This self-signed certificate accepts presto-denodo
as the hostname of the Denodo Embedded MPP. Therefore, you will have to add an entry in
the hosts
file where the Denodo server is running, with presto-denodo
and the EXTERNAL-IP
of the Presto service
after executing kubectl get svc
.
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP
hive-metastore ClusterIP 172.20.x.x <none>
postgresql CLusterIP 172.20.x.x <none>
presto LoadBalancer 172.20.x.x xx.xx.xx.xx
xx.xx.xx.xx presto-denodo
We strongly recommended using a certificate issued by a certificate authority (CA) or a private authority in production,
instead of the actual one from the Java Keystore: presto/secrets/presto.jks
.
See how to create a Keystore in Send a Certificate Request to a Certificate Authority (CA) and Create a Keystore with the Reply.
If you create a new Java Keystore, place it in presto/secrets
. The default file name is presto.jks
and
its default password is sslpassphrase
, but if you want to change them you have to edit the following properties in the
presto/conf/config.properties.coordinator
file:
http-server.https.keystore.key=sslpassphrase
http-server.https.keystore.path=/opt/secrets/presto.jks
Finally, take into account that if the certificate used by the Denodo Embedded MPP is signed by a private authority, or it is self-signed, you have to import this certificate into the truststore of the Denodo servers:
<DENODO_HOME>/jre/bin/keytool -importcert -alias denodo-mpp \
-file <DENODO_MPP_HOME>/certs/certificate.crt \
-cacerts -storepass "changeit" -noprompt