Skip to main content

Pentaho+ documentation is moving!

The new product documentation portal is here. Check it out now at docs.hitachivantara.com

 

Hitachi Vantara Lumada and Pentaho Documentation

SSL configuration

Parent article

Lumada Data Catalog uses Secure Sockets Layer (SSL) when communicating with other applications in two ways:

  • Requests to the web server from browsers.
  • Requests to other applications from the web server and other Data Catalog components.

Follow the configuration steps in this article for the method you choose. Use the Data Catalog configuration files for SSL which are located in the following directories listed by component:

ComponentConfiguration File Location
Lumada Data CatalogApplication server
  • Keystore

    <LDC-HOME>/app-server/jetty-distribution-*/ldc-base/etc/keystore

  • HTTPS

    <LDC-HOME>/app-server/jetty-distribution-*/ldc-base/start.d/https.ini

  • SSL

    <LDC-HOME>/app-server/jetty-distribution-*/ldc-base/start.d/ssl.ini

  • Port

    <LDC-HOME>/app-server/conf/install.properties

  • Trust store

    Not applicable on Lumada Data CatalogApplication server. You must create your own.

Lumada Data CatalogMetadata-server
  • Keystore

    <LDC-HOME>/metadata-server/conf/keystore

  • Truststore

    <LDC-HOME>/metadata-server/conf/ldc-truststore

Agent
  • Keystore

    <LDC-HOME>/agent/conf/keystore

  • Truststore

    <LDC-HOME>/agent/conf/ldc-truststore

Set up SSL from browsers to the Data Catalog web server

You can configure Data Catalog to listen through SSL for requests from browsers. You will need the following:
  • Server X.509 certificate for the external application server address. This certificate can be a real RSA, VeriSign, or similar certificate, or a self-signed certificate.
  • Secure keystore inside Data Catalog web application server distribution.

See the Jetty documentation for instructions to generate a self-signed certificate and to create and load keystore values: Generating key pairs and certificates

Perform the following steps to update the Data Catalog with external certificates for SSL communication:

Procedure

  1. Migrate the generated keystore to the PKCS12 type by entering keytool's importkeystore command. For more information, see the Key and Certificate Management Tool keytool documentation.

    $ keytool -importkeystore -srckeystore path/to-generated/.keystore -destkeystore
          path/to-generated/.keystore -deststoretype pkcs12
  2. Import the custom keystore to the Data Catalog app-server and metadata-server keystore using the following commands:

    $ cd <LDC-HOME>/app-server` 
    $ keytool -importkeystore -srckeystore /opt/keystore -destkeystore
          /opt/ldc/app-server/jetty-distribution-9.4.18.v20190429/ldc-base/etc/keystore  
    $ cd <LDC-HOME>/metadata-server` 
    $ keytool -importkeystore -srckeystore /opt/keystore -destkeystore
          /opt/ldc/metadata-server/conf/keystore
  3. Stop the Data Catalog services.

    <LDC-HOME/app-server>$ bin/app-server stop 
    <LDC-HOME/metadata-server>$ bin/metadata-server stop
        
  4. Obfuscate the password and use the obfuscated string (OBF:XXXX) to update the password in the ssl.ini file for all three arguments: jetty.keystore.password, jetty.keymanager.password, jetty.truststore.password.

    $ java -cp jetty-distribution-9.4.18.v20190429/lib/jetty-util-9.4.11.v20180605.jar
          org.eclipse.jetty.util.security.Password s3cr3t
          OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    For specific details on obfuscating passwords, see the Jetty documentation on secure password obfuscation.

  5. Replace the string in the previous step in the ssl.ini file.

    <LDC-HOME/app-server>$ vi jetty-distribution-9.4.18.v20190429/ldc-base/start.d/ssl.ini
    	# --------------------------------------- 
    	# Module: ssl 
    	# Enables a TLS(SSL) Connector on the server. 
    	# This may be used for HTTPS and/or HTTP2 by enabling 
    	# the associated support modules. 
    	# ---------------------------------------     
    	--module=ssl      
    
    	### TLS(SSL) Connector Configuration     
    	...     
    	...     
    	...     
    	jetty.sslContext.keyStorePassword=OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     
    	jetty.sslContext.keyManagerPassword=OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     
    	jetty.sslContext.trustStorePassword=OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        
  6. (Optional) Change the port Data Catalog uses to listen for SSL requests. By default, Data Catalog listens on port 4039.

    <LDC-HOME/app-server>$ vi conf/install.properties     
    ## The maximum allowed size in bytes for a HTTP request header 
    #JETTY_REQUEST_HEADER_SIZE= 
    
    LDC_JETTY_HTTP_PORT=8082 
    LDC_JETTY_HTTPS_PORT=4039
    LDC_WEB_DAEMON_PORT=4082 
    LDC_SERVICE_USER=ldcuser     
    LDC_LOG_DIR=/var/log/ldc
  7. Start the app-server.

    $ bin/app-server start
  8. After you configure and verify that SSL is working correctly, perform the following changes in the ldc-override-descriptor.xml file to force a redirect of all traffic over the secure HTTPS port.

    1. Open the ldc-override-descriptor.xml file on a text editor using the following command:

      $ vi jetty-distribution-9.4.18.v20190429/ldc-base/etc/ldc-override-descriptor.xml

    2. Then add the following content under the web-app element:

      <web-app>
          ...
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>*</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
          ...    
      </web-app>

Setting up SSL from the Data Catalog components to other applications

To make sure the Data Catalog components use SSL when it connects as a client to other applications, such as databases, its own Postgres repository, and Solr, add the following option to the Data Catalog installation configuration install.properties file. You can locate the install.properties file in the <LDC Install Dir>/app-server/conf/ directory.

Application server

Edit the install.properties file to include the following additional property:

TRUST_STORE_FILE=/path/to/TrustStore

The Data Catalog start scripts for the Jetty web server use this setting to ensure the web server finds the certificate.

NoteThe app-server does not have a default trust store configured. You can create one and import custom and self-signed certificates, and then point to it using the conf/install.properties > TRUST_STORE_FILE=/path/to/trust-store path.
Metadata-server and agent

Both Metadata-server and agent components are shipped with a default trust store for their internal validations with the App-server component. Any custom or self-signed certificates must be imported into this trust store using keytool, and the path to this trust store must be provided in the install.properties file of both the agent and the Metadata server.

Use the following instructions:

  1. Import any custom and self-signed certificates to the Data Catalog's existing trust store for the Metadata server and agent(s).
    $ cd <LDC-HOME>/metadata-server` 
    $ keytool -importkeystore -srckeystore /path/to-custom/keystore -destkeystore
          /opt/ldc/metadata-server/conf/ldc-truststore  
    $ cd <LDC-HOME>/agent` 
    $ keytool -importkeystore -srckeystore /path/to-custom/keystore -destkeystore
          /opt/ldc/agent/conf/ldc-truststore
  2. Add the path to this trust store in the conf/install.properties folder for both the Metadata-server and the agent(s) using the following commands:
    $ cd <LDC-HOME>/metadata-server` 
    $ vi conf/install.properties
    # Major version number only - can be either 5 or 7.
    SOLRJ_CLIENT_MAJOR_VERSION=7
    
    TRUST_STORE_FILE=/opt/ldc/agent/conf/ldc-truststore
    
    #============================================
    # Jetty Related configs
    #============================================
    
    JETTY_MEMORY_ARGS="-Xss2m -Xms512m -Xmx6144m"
  3. Add the paths to the trust store for all agents using the method in the previous step.
Other components

Data Catalog components, such as adapters and utilities, should correctly use SSL when they connect as a client to other applications in the environment. To ensure this process, add the following option to their invocation scripts:

-Djavax.net.ssl.trustStore=/path/to/MyTrustStore

For example, when Cloudera Navigator is configured to receive requests using SSL, the Data Catalog Navigator adapter needs to know the location of the trust store when it is called. Edit the importOperations and exportTagAssociation scripts to include the additional parameter in the java command, as follows:

java -Djavax.net.ssl.trustStore=/path/to/TrustStore ${LOGGING_OPTS} -cp ${CONF}:${JAR}:${LIBJARS}:${RESOURCES} com.ldc.navigator.sync.NavigatorSynchronizer importOperations "$@"