You can translate the document:

Goal

This document gives a simple step-by-step walkthrough of how to configure SSL on Denodo Platform installations using a self-signed certificate.

Content

This guide assumes that the DENODO_HOME environment variable is set. All parameters within “<>” characters must be replaced.

Windows

Generate and install a self-signed SSL certificate

Generate new key pair in a key store

"%DENODO_HOME%\jre\bin\keytool" -genkeypair -alias self-signed -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keypass <keystore password> -keystore <keystore path *.jks> -storepass <keystore password> -storetype jks -validity 365 -ext "SAN=IP:10.100.0.1,IP:192.168.0.1,DNS:myserver.mydomain.com,DNS:otherserver.otherdomain.com"

Note that Subject Alternative Names are not required for JDBC or ODBC connections, but they are required by the browser when accessing the web tools of the Denodo Platform. If the web tools will be used, ensure that all the hostnames and IP addresses used to access the Denodo Platform are added into the “SAN” entry following the format shown above. If this is not necessary, everything including and after “-ext” can be removed.

Samples of valid SAN attributes:

SAN=IP:123.456.789.101,DNS:hostname.example.com,DNS:hostname

SAN=IP:123.456.789.101

SAN=DNS:hostname.example.com

Additionally, note that it is required that the keystore is in the JKS format, and that the password of the private key matches the password of the generated Keystore in order for Denodo to be able to access the key.

Export self-signed certificate

"%DENODO_HOME%\jre\bin\keytool" -exportcert -alias self-signed -keystore <keystore path *.jks> -storepass <keystore password> -file <self-signed certificate path *.cer>

Import self-signed certificate into TrustStore

"%DENODO_HOME%\jre\bin\keytool" -importcert -alias self-signed -file <self-signed certificate path *.cer> -keystore "%DENODO_HOME%\jre\lib\security\cacerts" -storepass changeit

Uncomment and change properties in these files:

%DENODO_HOME%\conf\vdp\VDBConfiguration.properties

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=%DENODO_HOME%/jre/lib/security/cacerts

%DENODO_HOME%\conf\vdp-admin\VDBAdminConfiguration.properties

com.denodo.security.ssl.trustStore=%DENODO_HOME%/jre/lib/security/cacerts

%DENODO_HOME%\resources\apache-tomcat\conf\tomcat.properties

com.denodo.tomcat.https.port=9443

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=%DENODO_HOME%/jre/lib/security/cacerts

com.denodo.security.ssl.trustStorePassword=changeit

Comment the non-SSL Connector and uncomment the SSL Connector in the file %DENODO_HOME%\resources\apache-tomcat\conf\server.xml (server.xml.template for Denodo versions previous to 6.0)

<!-- Define a non-SSL HTTP/1.1 Connector -->

<!--<Connector port="${com.denodo.tomcat.http.port}" … />-->

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="${com.denodo.tomcat.https.port}" … />

After enabling port 9443 and disabling port 9090 the port number of the Data Catalog registered in the Solution Manager needs to be changed too. See section Creating Servers of the Solution Manager Administration guide.

Linux

Generate and install a self-signed SSL certificate

Generate new key pair in a key store

"$DENODO_HOME/jre/bin/keytool" -genkeypair -alias self-signed -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keypass <keystore password -keystore <keystore path *.jks> -storepass <keystore password> -storetype jks -validity 365 -dname "CN=<CommonName>,OU=<OrganizationalUnit>,O=<Organization>,L=<Locality>,ST=<StateOrProvinceName>,C=<CountryName>" -ext "SAN=IP:<10.100.0.1>,IP:<192.168.0.1>,DNS:<myserver.mydomain.com>,DNS:<otherserver.otherdomain.com>"

Note that Subject Alternative Names are not required for JDBC or ODBC connections, but they are required by the browser when accessing the web tools of the Denodo Platform. If the web tools will be used, ensure that all the hostnames and IP addresses used to access the Denodo Platform are added into the “SAN” entry following the format shown above. If this is not necessary, everything including and after “-ext” can be removed.

Samples of valid SAN attributes:

SAN=IP:123.456.789.101,DNS:hostname.example.com,DNS:hostname

SAN=IP:123.456.789.101

SAN=DNS:hostname.example.com

Additionally, note that it is required that the keystore is in the JKS format, and that the password of the private key matches the password of the generated Keystore in order for Denodo to be able to access the key.

Export self-signed certificate

"$DENODO_HOME/jre/bin/keytool" -exportcert -alias self-signed -keystore <keystore path *.jks> -storepass <keystore password> -file <self-signed certificate path *.cer>

Import self-signed certificate into TrustStore

"$DENODO_HOME/jre/bin/keytool" -importcert -alias self-signed -file <self-signed certificate path *.cer> -keystore "$DENODO_HOME/jre/lib/security/cacerts" -storepass changeit

Uncomment and change properties in these files:

$DENODO_HOME/conf/vdp/VDBConfiguration.properties

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=$DENODO_HOME/jre/lib/security/cacerts

$DENODO_HOME/conf/vdp-admin/VDBAdminConfiguration.properties

com.denodo.security.ssl.trustStore=$DENODO_HOME/jre/lib/security/cacerts

$DENODO_HOME/resources/apache-tomcat/conf/tomcat.properties

com.denodo.tomcat.https.port=9443

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=$DENODO_HOME/jre/lib/security/cacerts

com.denodo.security.ssl.trustStorePassword=changeit

Comment the non-SSL Connector and uncomment the SSL Connector in the file $DENODO_HOME/resources/apache-tomcat/conf/server.xml (server.xml.template for Denodo versions previous to 6.0)

<!-- Define a non-SSL HTTP/1.1 Connector -->

<!--<Connector port="${com.denodo.tomcat.http.port}" … />-->

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="${com.denodo.tomcat.https.port}" … />

After enabling port 9443 and disabling port 9090 the port number of the Data Catalog registered in the Solution Manager needs to be changed too. See section Creating Servers of the Solution Manager Administration guide.

Disclaimer
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.

Questions

Ask a question

You must sign in to ask a question. If you do not have an account, you can register here