Enabling the Network Interface Restriction in the Denodo Platform

By default, the components of the Denodo Platform listen to incoming connections on all the network interfaces of the computer. If you installed the Denodo Platform on a computer that has two or more network interfaces you can configure these components to listen to incoming connections on only one of the network interfaces but not the others. This is useful to restrict access to these components, for security purposes.

Before enabling this feature, obtain the hostname or IP address of this network interface. If you choose a hostname, this computer has to resolve this hostname to this network interface. Regardless of if you choose an IP address or a hostname, we will call this the restricted hostname. You will use this value in the steps below.

This feature is also available in the Solution Manager (see Enabling the Network Interface Restriction in the Solution Manager).

Now, follow these steps:

Note

The configuration of each component is independent from each other. So if you do not use a component, you do not have to change its configuration and it will not affect the other components. For example, you do not need to change the configuration of the components of ITPilot if you do not use ITPilot.

  1. Open the Administration Tool or the Design Studio and log in to the Virtual DataPort, using an administrator account. Then, execute these commands:

    SET 'com.denodo.vdb.vdbinterface.server.VDBManagerImpl.registryURL' = '<public hostname>';
    SET 'com.denodo.vdb.vdbinterface.server.VDBManagerImpl.registryURL.restricted' = '<restricted hostname>';
    SET 'com.denodo.vdb.vdbinterface.server.VDBManagerImpl.hostName' = '<restricted hostname>';
    

    In these commands:

    • Replace <restricted hostname> with the restricted hostname.

    • Replace <public hostname> with the hostname that client applications use to connect to this Virtual DataPort server. If they connect through a load balancer, this has to be the hostname of the load balancer.

  2. Stop all the components of this installation.

  3. For the web container, edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties and do these changes:

    1. Set the property com.denodo.tomcat.jmx.rmi.host to the restricted hostname.

    2. Comment the property com.denodo.vdp.host.

  4. Also for the web container, edit <DENODO_HOME>/resources/apache-tomcat/conf/server.xml and search for the element <Connector and add the attribute address="${com.denodo.vdp.host}". Add this attribute “as is”, do not enter a hostname.

    You have to end up with something like this:

    <Connector
         address="${com.denodo.vdp.host}"
         port="${com.denodo.tomcat.http.port}"
         protocol="HTTP/1.1"
         maxThreads="150"
    ...
    />
    

    Note

    This file has two Connector elements; one for the HTTP connector and one for the HTTPS connector. You have to do this change in both of them.

  5. For Scheduler, edit the file <DENODO_HOME>/conf/scheduler/ConfigurationParameters.properties and add the property Server/registryURL.restricted with the value restricted hostname.

  6. For Scheduler Index, edit the <DENODO_HOME>/conf/arn-index/ConfigurationParameters.properties and add the property Launcher/registryURL.restricted with the value restricted hostname.

  7. For the Diagnostic & Monitoring Tool, edit the file <DENODO_HOME>/resources/apache-tomcat/webapps/diagnostic-monitoring-tool/WEB-INF/classes/ConfigurationParameters.properties and change the value of the property vdp.hostname.local to the restricted hostname.

  8. For the GraphQL Service, edit <DENODO_HOME>/resources/apache-tomcat/wepapps/denodo-graphql-service/WEB-INF/classes/application.properties and change the value of the property vdp.datasource.jdbcUrl to the restricted hostname.

  9. For Aracne, edit the file <DENODO_HOME>/conf/arn/ConfigurationParameters.properties and add the property Server/registryURL.restricted with the value restricted hostname.

  10. For the ITPilot Browser Pool, edit <DENODO_HOME>/conf/iebrowser/IEBrowserConfiguration.properties and add the property RemoteIEBrowserPoolImpl.HOST.restricted with the value restricted hostname.

  11. For the ITPilot Maintenance Service, edit <DENODO_HOME>/conf/maintenance/MaintenanceConfiguration.xml and search for the element <rmi> inside the element <extraction>. Inside <rmi> add the element <restricted> with the value restricted hostname. You have to end up with something like this:

    <extraction>
        <rmi>
             <host>localhost</host>
             <restricted>denodo-server.acme.com</restricted>
             <port>7001</port>
             <registry>maintenanceReceiver</registry>
         </rmi>
    
  12. Start the components of this installation.

  13. In Virtual DataPort, redeploy all the web services (REST and SOAP).

After these changes, the components of the Denodo Platform will only be reachable through the network interface associated with the restricted hostname, not through “localhost” or the other interfaces of this computer.