SSL certificates are only valid for a certain duration such as one or several years and expire after that. This document describes how to renew an expired SSL certificate in Denodo for a Denodo installation where SSL is already configured and working but the SSL certificate needs to be renewed. It contains some commands to be executed in a Windows command prompt, for Linux systems you can replace the backslashes with forward slashes to get equivalent commands.
In short the steps to renew the certificate will be:
- Preparation step for obtaining the keystore file name, location and keystore password.
- Generate a keypair and obtain the public certificate.
- Importing the public certificate into the truststore of the Denodo installation.
- Importing the public certificate into the truststore of clients.
Step 1: Preparation
Before starting, you should do the following actions:
- Get the location of your existing keystore file (ending with .jks). If you do not remember the location, you can look it up in your Denodo Platform installation: Open the file <DENODO_HOME>\conf\vdp\VDBConfiguration.properties and get the value assigned to the property com.denodo.security.ssl.keyStore. Suppose the jks is located in your <DENODO_HOME> directory.
- Navigate to the location and rename the file, for example from denodo_server_key_store.jks to denodo_server_key_store_old.jks
- You need to know the keystore password that you have specified while creating this jks file in the past. If you do not remember it, it cannot be recovered and you need to configure SSL from scratch. In Denodo 8.0, the Denodo SSL/TLS Configurator Script could help you to automate the whole process.
If you are unsure and want to verify the keystore password, execute the following command and provide the password, depending on the response you will know if it is the correct password.
.\jre\bin\keytool -list -keystore denodo_server_key_store_old.jks
These preparation steps are needed as we will reuse the jks file location, file name and keystore password to create our new keystore file. The benefit of doing this is that you will not need to modify any configuration file in the Denodo Platform installation. The values set for the keystore location and password in the different configuration files will be already valid as they are the same as before.
Step 2: Generate a keypair and obtain the public certificate
In this step, we will need to obtain and install the new SSL certificate. This could be obtained in different ways and is explained in detail in the documentation section Obtaining and Installing an SSL/TLS Certificate.
When following these steps, make sure that you use the same values as obtained in the first step above. Keep in mind the following important information:
- When generating the keypair, specify the same jks name and keystore password as obtained in step 1.
- The keystore password and key password also need to match with each other, otherwise the Server will not start later.
- The new jks file must be stored in the same file location as the previous jks file.
- The alias name can be different from the previous configuration.
- The (exported) public certificate (file denodo_server_public_key.cer) can also have a different name.
Once you have obtained the public certificate you can proceed with the next step.
Step 3: Importing the public certificate into the truststore of the Denodo installation
After you obtain the public certificate (denodo_server_public_key.cer) you need to import it into the truststore of the Denodo installation. By default, this is set to <DENODO_HOME>\jre\lib\security\cacerts.
The command for importing the certificate under a specific alias is the following:
.\jre\bin\keytool -importcert -alias denodo-server-self-signed -file denodo_server_public_key.cer -cacerts -storepass "changeit" -noprompt
If you are using the same alias name as the first time you configured SSL, you need to remove the previous alias from the truststore. However, you can also just provide a different alias name.
If the alias already exists you will see the following error message:
keytool error: java.lang.Exception: Certificate not imported, alias <denodo-server-self-signed> already exists
To remove any specific alias, execute the following command (replace the alias name and <DENODO_HOME> with the appropriate values):
.\jre\bin\keytool -delete -alias denodo-server-self-signed -keystore <DENODO_HOME>\jre\lib\security\cacerts -storepass "changeit"
After you have deleted the previous alias (only if it was required), you can proceed to import the new certificate with the same alias name.
Step 4: Importing the public certificate into the truststore of clients
Once you have imported the certificate into the truststore of the Denodo Platform installation, you also need to import it to any other relevant truststores. For example, if you are connecting from a Virtual DataPort Administration Tool that is running on a different machine, the certificate must be imported into its truststore to be able to connect. Keep in mind that if this Denodo Platform installation is accessed by the Solution Manager Server (for creating and deploying revisions), it is required to import the certificate also in the Solution Managers truststore as it will function as a client.
You can review the documentation section for more details: