Denodo SSL/TLS Configurator Script

The SSL/TLS configuration script automates the process of enabling SSL in all the modules of the Denodo Platform and the Solution Manager, including the web container (Apache Tomcat).

This script is located in <DENODO_HOME>/bin/denodo_tls_configurator and it does this:


Execute this script with the same user account with which you will start the Denodo Platform servers.

This is necessary because only the user account that starts the Denodo Platform can have read and write access to the file <DENODO_HOME>/resources/apache-tomcat/conf/; the script denodo_tls_configurator changes the permissions of this file so it is only readable and writeable by the user account that executes this script.

Note that there are some configuration steps that may be required even when using the SSL/TLS configuration script:

There are four operation modes available, based on the performed action (enabling or disabling SSL/TLS) and the required input files:

  1. Enable SSL/TLS Using a PKCS12 Keystore and Public Certificates in CER Format

  2. Enable SSL/TLS Using a PKCS #12 Bundle

  3. Enable SSL/TLS Using PEM-Encoded Key and Certificates

  4. Disable SSL/TLS

Before diving into the details of each mode, we are going to explain some common configuration parameters that appear in all or most of the operation modes:

  • --denodo-home <path>: path to the target Denodo Platform or Denodo Solution Manager installation.

  • --components component_1,...,component_n: comma-separated list of Denodo components that will be configured (choose between license-manager, scheduler, scheduler-index, solution-manager, tomcat, vdp and vdp-admin). Note that not all the components will be available, depending on the type of target installation (Denodo Platform or Denodo Solution Manager). If --components is not set, all the available components will be configured (this is the recommended approach).

  • --keystore <path>: path to the PKCS12 keystore to be used by the selected Denodo components. If it does not exist, it will be generated (except when enabling SSL/TLS using a PKCS12 keystore and public certificates in CER format).


    This parameter is not required when configuring client applications only. This will happen if:

    • The --components option’s value is set and its value contains vdp-admin and/or wgt only.

    • The --components option’s value is not set and the target installation only includes the Virtual DataPort Administration Tool.

  • --truststore <path>: path to the truststore to be used by the selected Denodo components. This truststore must exist: the script will import all the required certificates into it. For instance, you can use <DENODO_HOME>/jre/lib/security/cacerts.

  • --credentials-file <path>: Path to a properties file with encrypted values for keystore.password, truststore.password and/or pkcs12bundle.password, as required by the script’s configuration. Encrypted values must be generated with the <DENODO_HOME>/bin/encrypt_password.bat/.sh script.

    Credentials file sample
  • --license-manager-uses-tls={true|false}: this parameter is only useful for Denodo Platform installations and will be ignored if the target is a Denodo Solution Manager installation. It must be set to true when the target Denodo Platform installation is configured to connect to a SSL/TLS-enabled License Manager, or to false otherwise. See Configuring the Connection to the License Manager for details.

  • --override: this parameter overrides previous keystore and truststore configuration, making a backup of the existing files, but only when the script modifies them. An example of a backup of the truststore could be <DENODO_HOME>/jre/lib/security/cacerts.back.20230815123456789.

Also, you can display the script’s help by executing <DENODO_HOME>/bin/denodo_tls_configurator.bat/.sh without parameters.

Enable SSL/TLS Using a PKCS12 Keystore and Public Certificates in CER Format

This mode is specially suited for reusing the keystore and certificates of a previous Denodo Platform 7.0 / Denodo Solution Manager 7.0 installation. Also, in Obtaining and Installing an SSL/TLS Certificate you can find how to obtain the PKCS12 and CER files required by this operation mode (either self-signed or by sending a request to a Certificate Authority).

Syntax for enabling SSL/TLS using a PKCS12 keystore and public certificates in CER format
    --keystore <path>
    --cert-cer-file <path>
    [ --cert-chain-cer-file <path> ]
    --truststore <path>
    [ --override ]
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>
  • --keystore <path>: note that in this operation mode, the configured keystore must exist and be in PKCS12 format.


    This parameter is not required when configuring only the Virtual DataPort Administration Tool.

  • --cert-cer-file <path>: path to a CER file with a certificate that will be imported into the selected truststore. This X.509 certificate must be associated to the private key found in the provided PKCS12 keystore.

  • --cert-chain-cer-file <path>: path to an optional CER chain file. The chain of certificates will be imported into the selected truststore.

Enable SSL/TLS Using a PKCS #12 Bundle

You can use a PKCS #12 bundle as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.

PKCS #12 files may contain different cryptography objects. The PKCS #12 file used to configure a Denodo Platform / Denodo Solution Manager installation must include a private key with its X.509 certificate and all the members of the certificate’s chain of trust (if required).

Syntax for enabling SSL/TLS using a PKCS #12 bundle
    --pkcs12-file <path>
    --keystore <path>
    --truststore <path>
    [ --override ]
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>
  • --pkcs12-file <path>: path to a PKCS #12 bundle file (with .p12 or .pfx extension). Its contents will be used for initializing a keystore in the selected path and importing the required public certificates in the selected truststore. The provided PKCS #12 bundle must contain all the required private and public keys. The file’s password must be provided as the value of the pkcs12bundle.password property in the configured credentials file.

Enable SSL/TLS Using PEM-Encoded Key and Certificates

You can use PEM-encoded files as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.

Syntax for enabling SSL/TLS using PEM-encoded key and certificates
    --keystore <path>
    --key-pem-file <path>
    --cert-pem-file <path>
    [ --cert-chain-pem-files <path_1>,...,<path_n> ]
    --truststore <path>
    [ --override ]
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>
  • --key-pem-file <path>: path to a file with a PEM-encoded, unencrypted RSA private key that will be used to initialize a keystore in the selected keystore path.

    PEM-encoded, unencrypted private key
    -----END RSA PRIVATE KEY-----
  • --cert-pem-file <path>: path to a file with a PEM-encoded public X.509 certificate that will be imported into the selected truststore. This certificate must be associated to the provided private key.

    PEM-encoded public certificate
    -----END CERTIFICATE-----
  • --cert-chain-pem-files <path_1>,...,<path_n>: optional list of paths to PEM-encoded files with a public certificate chain that will be imported into the selected truststore. These files can contain individual certificates of the chain or a concatenation of certificates.

Disable SSL/TLS

You can disable SSL/TLS in the target Denodo Platform or Denodo Solution Manager installation by using this syntax:

Syntax for disabling SSL/TLS
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --denodo-home <path>
Add feedback