SSL Self-Signed Cert Installation

Goal

This document gives a simple step-by-step walkthrough of how to configure SSL on Denodo Platform installations using a self-signed certificate.

Content

This guide assumes that the DENODO_HOME environment variable is set. All parameters within “<>” characters must be replaced.

Windows

Generate and install a self-signed SSL certificate

Generate new key pair in a key store

"%DENODO_HOME%\jre\bin\keytool" -genkeypair -alias self-signed -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keypass <keystore password> -keystore <keystore path *.jks> -storepass <keystore password> -storetype jks -validity 365 -ext "SAN=IP:10.100.0.1,IP:192.168.0.1,DNS:myserver.mydomain.com,DNS:otherserver.otherdomain.com"

Note that Subject Alternative Names are not required for JDBC or ODBC connections, but they are required by the browser when accessing the web tools of the Denodo Platform. If the web tools will be used, ensure that all the hostnames and IP addresses used to access the Denodo Platform are added into the “SAN” entry following the format shown above. If this is not necessary, everything including and after “-ext” can be removed.

Samples of valid SAN attributes:

SAN=IP:123.456.789.101,DNS:hostname.example.com,DNS:hostname

SAN=IP:123.456.789.101

SAN=DNS:hostname.example.com

Additionally, note that it is required that the keystore is in the JKS format, and that the password of the private key matches the password of the generated Keystore in order for Denodo to be able to access the key.

Export self-signed certificate

"%DENODO_HOME%\jre\bin\keytool" -exportcert -alias self-signed -keystore <keystore path *.jks> -storepass <keystore password> -file <self-signed certificate path *.cer>

Import self-signed certificate into TrustStore

"%DENODO_HOME%\jre\bin\keytool" -importcert -alias self-signed -file <self-signed certificate path *.cer> -keystore "%DENODO_HOME%\jre\lib\security\cacerts" -storepass changeit

Uncomment and change properties in these files:

%DENODO_HOME%\conf\vdp\VDBConfiguration.properties

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=%DENODO_HOME%/jre/lib/security/cacerts

%DENODO_HOME%\conf\vdp-admin\VDBAdminConfiguration.properties

com.denodo.security.ssl.trustStore=%DENODO_HOME%/jre/lib/security/cacerts

%DENODO_HOME%\resources\apache-tomcat\conf\tomcat.properties

com.denodo.tomcat.https.port=9443

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=%DENODO_HOME%/jre/lib/security/cacerts

com.denodo.security.ssl.trustStorePassword=changeit

Comment the non-SSL Connector and uncomment the SSL Connector in the file %DENODO_HOME%\resources\apache-tomcat\conf\server.xml (server.xml.template for Denodo versions previous to 6.0)

<!-- Define a non-SSL HTTP/1.1 Connector -->

<!--<Connector port="${com.denodo.tomcat.http.port}" … />-->

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="${com.denodo.tomcat.https.port}" … />

After enabling port 9443 and disabling port 9090 the port number of the Data Catalog registered in the Solution Manager needs to be changed too. See section Creating Servers of the Solution Manager Administration guide.

Linux

Generate and install a self-signed SSL certificate

Generate new key pair in a key store

"$DENODO_HOME/jre/bin/keytool" -genkeypair -alias self-signed -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keypass <keystore password -keystore <keystore path *.jks> -storepass <keystore password> -storetype jks -validity 365 -dname "CN=<CommonName>,OU=<OrganizationalUnit>,O=<Organization>,L=<Locality>,ST=<StateOrProvinceName>,C=<CountryName>" -ext "SAN=IP:<10.100.0.1>,IP:<192.168.0.1>,DNS:<myserver.mydomain.com>,DNS:<otherserver.otherdomain.com>"

Note that Subject Alternative Names are not required for JDBC or ODBC connections, but they are required by the browser when accessing the web tools of the Denodo Platform. If the web tools will be used, ensure that all the hostnames and IP addresses used to access the Denodo Platform are added into the “SAN” entry following the format shown above. If this is not necessary, everything including and after “-ext” can be removed.

Samples of valid SAN attributes:

SAN=IP:123.456.789.101,DNS:hostname.example.com,DNS:hostname

SAN=IP:123.456.789.101

SAN=DNS:hostname.example.com

Additionally, note that it is required that the keystore is in the JKS format, and that the password of the private key matches the password of the generated Keystore in order for Denodo to be able to access the key.

Export self-signed certificate

"$DENODO_HOME/jre/bin/keytool" -exportcert -alias self-signed -keystore <keystore path *.jks> -storepass <keystore password> -file <self-signed certificate path *.cer>

Import self-signed certificate into TrustStore

"$DENODO_HOME/jre/bin/keytool" -importcert -alias self-signed -file <self-signed certificate path *.cer> -keystore "$DENODO_HOME/jre/lib/security/cacerts" -storepass changeit

Uncomment and change properties in these files:

$DENODO_HOME/conf/vdp/VDBConfiguration.properties

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=$DENODO_HOME/jre/lib/security/cacerts

$DENODO_HOME/conf/vdp-admin/VDBAdminConfiguration.properties

com.denodo.security.ssl.trustStore=$DENODO_HOME/jre/lib/security/cacerts

$DENODO_HOME/resources/apache-tomcat/conf/tomcat.properties

com.denodo.tomcat.https.port=9443

com.denodo.security.ssl.enabled=true

com.denodo.security.ssl.keyStore=<client keystore path *.jks>

com.denodo.security.ssl.keyStorePassword=<client keystore password>

com.denodo.security.ssl.trustStore=$DENODO_HOME/jre/lib/security/cacerts

com.denodo.security.ssl.trustStorePassword=changeit

Comment the non-SSL Connector and uncomment the SSL Connector in the file $DENODO_HOME/resources/apache-tomcat/conf/server.xml (server.xml.template for Denodo versions previous to 6.0)

<!-- Define a non-SSL HTTP/1.1 Connector -->

<!--<Connector port="${com.denodo.tomcat.http.port}" … />-->

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="${com.denodo.tomcat.https.port}" … />

After enabling port 9443 and disabling port 9090 the port number of the Data Catalog registered in the Solution Manager needs to be changed too. See section Creating Servers of the Solution Manager Administration guide.