Goal
This document describes how to establish connections between Denodo Platform servers to remote servers through secure channels.
Content
SSL certificates can be configured for each tool in the Denodo Platform. To obtain a certificate the java utility called keytool must be used. This utility is included with the Denodo Platform in the internal Java Runtime Environment. Keytool manages databases of public/private key pairs, used to allow clients to access the server. This database is called KeyStore .
Keytool can also manage databases (TrustStores) that contain certificates from trusted certification authorities (CA). When an SSL connection is established, the server sends its public key certificate to the client. Then, the client decides if it trusts the server by checking if a trusted certification authority has issued the certificate. A certification authority is trusted if its certificate is included in the TrustStore of the client.
The easiest way to add a certificate so it is used by all the components of the Denodo Platform is to add it to the JVM used to run the Denodo servers and tools. If using the default embedded JVM the certificate can be added to the cacerts file under <DENODO_HOME>/jre/lib/security/cacerts. To do so, run the following command:
“<DENODO_HOME>/jre/bin/keytool" -keystore <DENODO_HOME>/jre/lib/security/cacerts -importcert -alias serverkey -file serverkey-perm.cer
When prompted to trust this certificate, respond by typing y. In this example serverkey is the alias for the certificate and serverkey-pem.cer is the certificate file.
The password of the trustStore needs to be provided. The default password of the <DENODO_HOME>/jre/lib/security/cacerts trustStore is changeit.
Run the following command to make sure that the certificate has been successfully imported:
“<DENODO_HOME>/jre/bin/keytool" -list -keystore <DENODO_HOME>/jre/lib/security/cacerts
After adding the certificate in this way it will be possible to connect to the remote server using a secure connection.
Troubleshooting
- SSLHandshakeException: This error (or a similar one) is shown in the log when trying to establish a connection to a source:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed
This error can be solved by adding the source certificate to the JVM used to run the Denodo servers and tools, as it is described above.
References
Enable SSL/TLS Connections in the Denodo Platform Servers.
Obtaining and Installing a SSL/TLS Certificate
Enabling SSL in Denodo Platform Tools
Java key and Certificate Management Tool for Windows
Java key and Certificate Management Tool for Unix
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.
Questions
