Goal
This document describes how to configure the Denodo Virtual DataPort (VDP) server to connect to data sources that use an SSL connection.
Content
When the Denodo Virtual DataPort server establishes an SSL connection with a data source, the data source presents a certificate. Virtual DataPort relies on the Java Cryptography Architecture (JCA) to check if the certificate is valid. JCA accepts certificates signed by known Certificate Authorities (CA). To see the list of known CA execute the below command:
$cd <DENODO_HOME>/jre/bin $keytool -list -keystore <JAVA_HOME>\lib\security\cacerts |
However, if the certificate used by the server is signed by an authority that is not present in this list, you have to import this certificate into the list of trusted certificates (called TrustStore).
To import a certificate into the TrustStore of the Java Runtime Environment (JRE), execute the following commands:
$cd <DENODO_HOME>/jre/bin $keytool -importcert -alias <name of the certificate> -file <newcertificate>.crt –keystore ../lib/security/cacerts |
This command will prompt for the password of the TrustStore, which by default is “changeit” (without quotes).
Explanation of the parameters:
- alias: this parameter is mandatory. The certificate will be stored in the TrustStore identified by this alias. If the TrustStore already contains a certificate with this alias, choose another alias.
- keystore: path to the TrustStore where the certificate will be stored. “../lib/security/cacerts” is the path of the TrustStore of the JRE included in the Denodo Platform. If you have uncommented the property com.denodo.security.ssl.trustStore of the file <DENODO HOME>/conf/vdp/VDBConfiguration.properties, the value of this parameter has to be the value of this property, instead of “../lib/security/cacerts”. That is because, if this property is uncommented, Virtual DataPort will use the TrustStore set in this property of the VDBConfiguration.properties file, instead of the JRE TrustStore. If you are going to launch Virtual DataPort with a JRE not included in the Denodo Platform and the property com.denodo.security.ssl.trustStore is commented, the value of this parameter has to be the path to the cacerts file of this other JRE, which is located in the directory lib/security of the JRE.
To check that the certificate has been imported correctly, execute this command:
$keytool -list -v -alias <name of the certificate> -keystore ..\lib\security\cacerts |
After adding a certificate, the Virtual DataPort server needs to be restarted to save the changes.
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.