Goal
This document gives a simple step-by-step walkthrough of how to configure SSL on Denodo Platform installations using a self-signed certificate.
Content
This guide assumes that the DENODO_HOME environment variable is set. All parameters within “<>” characters must be replaced.
Generating Certificates
Generate and install a self-signed SSL certificate
Generate new key pair in a key store
"<DENODO_HOME>/jre/bin/keytool" -genkeypair -alias self-signed -keyalg RSA -keysize 2048 -keystore <keystore path *.jks> -storepass <keystore password> -storetype jks -validity 365 -ext "SAN=IP:10.100.0.1,IP:192.168.0.1,DNS:myserver.mydomain.com,DNS:otherserver.otherdomain.com"
Press Enter when prompted to make the key password the same as the keystore password.
Note that Subject Alternative Names are not required for JDBC or ODBC connections, but they are required by the browser when accessing the web tools of the Denodo Platform. If the web tools will be used, ensure that all the hostnames and IP addresses used to access the Denodo Platform are added into the “SAN” entry following the format shown above. If this is not necessary, everything including and after “-ext” can be removed.
Samples of valid SAN attributes:
SAN=IP:123.456.789.101,DNS:hostname.example.com,DNS:hostname
SAN=IP:123.456.789.101
SAN=DNS:hostname.example.com
Additionally, note that it is required that the keystore is in the JKS format, and that the password of the private key matches the password of the generated Keystore in order for Denodo to be able to access the key.
Export self-signed certificate
"<DENODO_HOME>/jre/bin/keytool" -exportcert -alias self-signed -keystore <keystore path *.jks> -storepass <keystore password> -file <self-signed certificate path *.cer>
Create a file named credentials.properties.
Note that the name of this .properties can be whatever you want.
Now let's generate encrypted passwords and add them to the credentials properties file.
* Follow the below steps to generate each encrypted password:
* Generate the encrypted password for the keystore
<DENODO_HOME>/bin/encrypt_password.bat <keystore password>
* Generate the encrypted password for the truststore
<DENODO_HOME>/bin/encrypt_password.bat <truststore password>
* Note that the default password for the truststore is changeit
* Open the credentials properties file and input the below lines:
keystore.password=<generated encrypted keystore password>
truststore.password=<generated encrypted truststore password>
Finally, use the denodo_tls_configurator script to update the configuration files of the Denodo Platform to use the SSL/TLS connections and import the certificate into the truststore.
<DENODO_HOME>/bin/denodo_tls_configurator.bat -d <DENODO_HOME> -k <keystore path *.jks> -ccf <self-signed certificate path *.cer> -t <DENODO_HOME>/jre/lib/security/cacerts -crf <credentials path to credentials.properties>
See the sections Creating a Keystore with a Self-Signed Certificate and Denodo SSL/TLS Configurator Script in the Denodo Platform Installation Guide if you would like to view more information on the topics.
After enabling port 9443 and disabling port 9090 the port number of the Data Catalog registered in the Solution Manager needs to be changed too. See section Creating Servers of the Solution Manager Administration guide.
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.
Recommended resources Recommendations generated by AI
Questions
