Denodo SSL/TLS Configurator Script

The SSL/TLS configuration script is located in <DENODO_HOME>/bin/denodo_tls_configurator.bat/.sh and it can be used to automate most of the configuration steps required to enable SSL/TLS across Denodo Platform and Denodo Solution Manager installations.

More specifically, the script can enable and disable SSL/TLS in a target Denodo Platform / Denodo Solution Manager installation by performing the following actions:

Note that there are some configuration steps that may be required even when using the SSL/TLS configuration script:

There are four operation modes available, based on the performed action (enabling or disabling SSL/TLS) and the required input files:

Before diving into the details of each mode, we are going to explain some common configuration parameters that appear in all or most of the operation modes:

  • --denodo-home <path>: path to the target Denodo Platform or Denodo Solution Manager installation.

  • --components component_1,...,component_n: comma-separated list of Denodo components that will be configured (choose between browserpool, license-manager, scheduler, scheduler-index, solution-manager, tomcat, vdp, vdp-admin, verification and wgt). Note that not all the components will be available, depending on the type of target installation (Denodo Platform or Denodo Solution Manager). If --components is not set, all the available components will be configured (this is the recommended approach).

  • --keystore <path>: path to the JKS keystore to be used by the selected Denodo components. If it does not exist, it will be generated (except when enabling SSL/TLS using a JKS keystore and public certificates in CER format).

    Note

    This parameter is not required when configuring client applications only. This will happen if:

    • The --components option’s value is set and its value contains vdp-admin and/or wgt only.

    • The --components option’s value is not set and the target installation includes the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.

  • --truststore <path>: path to the truststore to be used by the selected Denodo components. This truststore must exist: the script will import all the required certificates into it. For instance, you can use <DENODO_HOME>/jre/lib/security/cacerts.

  • --credentials-file <path>: Path to a properties file with encrypted values for keystore.password, truststore.password and/or pkcs12bundle.password, as required by the script’s configuration. Encrypted values must be generated with the <DENODO_HOME>/bin/encrypt_password.bat/.sh script.

  • --license-manager-uses-tls={true|false}: this parameter is only useful for Denodo Platform installations and will be ignored if the target is a Denodo Solution Manager installation. It must be set to true when the target Denodo Platform installation is configured to connect to a SSL/TLS-enabled License Manager, or to false otherwise. See Configuring the Connection to the License Manager for details.

Also, you can display the script’s help by executing <DENODO_HOME>/bin/denodo_tls_configurator.bat/.sh without parameters.

Enable SSL/TLS Using a JKS Keystore and Public Certificates in CER Format

This mode is specially suited for reusing the keystore and certificates of a previous Denodo Platform 7.0 / Denodo Solution Manager 7.0 installation. Also, in Obtaining and Installing an SSL/TLS Certificate you can find how to obtain the JKS and CER files required by this operation mode (either self-signed or by sending a request to a Certificate Authority).

Syntax for enabling SSL/TLS using a JKS keystore and public certificates in CER format
denodo_tls_configurator
    --keystore <path>
    --cert-cer-file <path>
    [ --cert-chain-cer-file <path> ]
    --truststore <path>
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>
  • --keystore <path>: note that in this operation mode, the configured keystore must exist and be in JKS format.

    Note

    This parameter is not required when configuring the Virtual DataPort Administration Tool and/or the Wrapper Generator Tool only.

  • --cert-cer-file <path>: path to a CER file with a certificate that will be imported into the selected truststore. This X.509 certificate must be associated to the private key found in the provided JKS keystore.

  • --cert-chain-cer-file <path>: path to an optional CER chain file. The chain of certificates will be imported into the selected truststore.

Enable SSL/TLS Using a PKCS #12 Bundle

You can use a PKCS #12 bundle as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.

PKCS #12 files may contain different cryptography objects. The PKCS #12 file used to configure a Denodo Platform / Denodo Solution Manager installation must include a private key with its X.509 certificate and all the members of the certificate’s chain of trust (if required).

Syntax for enabling SSL/TLS using a PKCS #12 bundle
denodo_tls_configurator
    --pkcs12-file <path>
    --keystore <path>
    --truststore <path>
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>
  • --pkcs12-file <path>: path to a PKCS #12 bundle file (with .p12 or .pfx extension). Its contents will be used for initializing a keystore in the selected path and importing the required public certificates in the selected truststore. The provided PKCS #12 bundle must contain all the required private and public keys. The file’s password must be provided as the value of the pkcs12bundle.password property in the configured credentials file.

Enable SSL/TLS Using PEM-Encoded Key and Certificates

You can use PEM-encoded files as the input for configuring SSL/TLS in the target Denodo Platform / Denodo Solution Manager installation.

Syntax for enabling SSL/TLS using PEM-encoded key and certificates
denodo_tls_configurator
    --keystore <path>
    --key-pem-file <path>
    --cert-pem-file <path>
    [ --cert-chain-pem-files <path_1>,...,<path_n> ]
    --truststore <path>
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --credentials-file <path>
    --denodo-home <path>
  • --key-pem-file <path>: path to a file with a PEM-encoded, unencrypted private key that will be used to initialize a keystore in the selected keystore path.

    PEM-encoded, unencrypted private key
    -----BEGIN RSA PRIVATE KEY-----
    MIIE1111AKCAQEAzkMYu2hUwJabbbQRVkxnZJ0dddd8SWUJVJxkj+iGJWwXZU7Z
    [...]
    k9mAGNOsS3kgoBnlvERsbpFggggIQ+cWKWW7777O03srpd2vF09876==
    -----END RSA PRIVATE KEY-----
    
  • --cert-pem-file <path>: path to a file with a PEM-encoded public X.509 certificate that will be imported into the selected truststore. This certificate must be associated to the provided private key.

    PEM-encoded public certificate
    -----BEGIN CERTIFICATE-----
    MIIFUjCCA1234567AgICEAEwDQY1234567cNAQELBQAwaj55555GA1UEBhhhhhhh
    [...]
    aaaFYgEPIE3bbbNV5114XccccyX4Rw==
    -----END CERTIFICATE-----
    
  • --cert-chain-pem-files <path_1>,...,<path_n>: optional list of paths to PEM-encoded files with a public certificate chain that will be imported into the selected truststore. These files can contain individual certificates of the chain or a concatenation of certificates.

Disable SSL/TLS

You can disable SSL/TLS in the target Denodo Platform or Denodo Solution Manager installation by using this syntax:

Syntax for disabling SSL/TLS
denodo_tls_configurator
    [ --license-manager-uses-tls={true|false} ]
    [ --components component_1,...,component_n ]
    --disable-tls
    --denodo-home <path>