This document describes how to establish connections between Denodo Platform servers to remote servers through secure channels.
Client certificates can be configured for each tool in the Denodo Platform. To obtain a certificate the java utility called keytool must be used. This utility is included with the Denodo Platform in the internal Java Runtime Environment. Keytool manages databases of public/private key pairs, used to allow clients to access the server. This database is called KeyStore .
Keytool can also manage databases (TrustStores) that contain certificates from trusted certification authorities (CA). When an SSL connection is established, the server sends its public key certificate to the client. Then, the client decides if it trusts the server by checking if a trusted certification authority has issued the certificate. A certification authority is trusted if its certificate is included in the TrustStore of the client.
The easiest way to add a certificate so it is used by all the components of the Denodo Platform is to add it to the JVM used to run the Denodo servers and tools. If using the default embedded JVM the certificate can be added to the cacerts file under <DENODO_HOME>/jre/lib/security/cacerts. To do so, run the following command:
“<DENODO_HOME>/jre/bin/keytool" -keystore <DENODO_HOME>/jre/lib/security/cacerts -importcert -alias serverkey -file serverkey-perm.cer
When prompted to trust this certificate, respond by typing y. In this example serverkey is the alias for the certificate and serverkey-pem.cer is the certificate file.
The password of the trustStore needs to be provided. The default password of the <DENODO_HOME>/jre/lib/security/cacerts trustStore is changeit.
Run the following command to make sure that the certificate has been successfully imported:
“<DENODO_HOME>/jre/bin/keytool" -list -keystore <DENODO_HOME>/jre/lib/security/cacerts
After adding the certificate in this way it will be possible to connect to the remote server using a secure connection.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed
This error can be solved by adding the source certificate to the JVM used to run the Denodo servers and tools, as it is described above.
Denodo Platform Installation Guide: Enable SSL/TLS Connections in the Denodo Platform Servers.
Denodo Platform Installation Guide: Obtaining and Installing a SSL/TLS Certificate
Denodo Platform Installation Guide: Enabling SSL in Denodo Platform Tools