SSL configuration
Lumada Data Catalog uses Secure Sockets Layer (SSL) when communicating with other applications in two ways:
- Requests to the web server from browsers.
- Requests to other applications from the web server and other Data Catalog components.
Follow the configuration steps in this article for the method you choose. Use the Data Catalog configuration files for SSL which are located in the following directories listed by component:
| Component | Configuration File Location |
| Lumada Data CatalogApplication server |
|
| Lumada Data CatalogMetadata-server |
|
| Agent |
|
Set up SSL from browsers to the Data Catalog web server
- Server X.509 certificate for the external application server address. This certificate can be a real RSA, VeriSign, or similar certificate, or a self-signed certificate.
- Secure keystore inside Data Catalog web application server distribution.
See the Jetty documentation for instructions to generate a self-signed certificate and to create and load keystore values: Generating key pairs and certificates
Perform the following steps to update the Data Catalog with external certificates for SSL communication:
Procedure
Migrate the generated keystore to the PKCS12 type by entering keytool's
importkeystorecommand. For more information, see the Key and Certificate Management Tool keytool documentation.$ keytool -importkeystore -srckeystore path/to-generated/.keystore -destkeystore path/to-generated/.keystore -deststoretype pkcs12Import the custom keystore to the Data Catalog app-server and metadata-server keystore using the following commands:
$ cd <LDC-HOME>/app-server` $ keytool -importkeystore -srckeystore /opt/keystore -destkeystore /opt/ldc/app-server/jetty-distribution-9.4.18.v20190429/ldc-base/etc/keystore $ cd <LDC-HOME>/metadata-server` $ keytool -importkeystore -srckeystore /opt/keystore -destkeystore /opt/ldc/metadata-server/conf/keystoreStop the Data Catalog services.
<LDC-HOME/app-server>$ bin/app-server stop <LDC-HOME/metadata-server>$ bin/metadata-server stopObfuscate the password and use the obfuscated string (OBF:XXXX) to update the password in the ssl.ini file for all three arguments: jetty.keystore.password, jetty.keymanager.password, jetty.truststore.password.
$ java -cp jetty-distribution-9.4.18.v20190429/lib/jetty-util-9.4.11.v20180605.jar org.eclipse.jetty.util.security.Password s3cr3t OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFor specific details on obfuscating passwords, see the Jetty documentation on secure password obfuscation.
Replace the string in the previous step in the ssl.ini file.
<LDC-HOME/app-server>$ vi jetty-distribution-9.4.18.v20190429/ldc-base/start.d/ssl.ini # --------------------------------------- # Module: ssl # Enables a TLS(SSL) Connector on the server. # This may be used for HTTPS and/or HTTP2 by enabling # the associated support modules. # --------------------------------------- --module=ssl ### TLS(SSL) Connector Configuration ... ... ... jetty.sslContext.keyStorePassword=OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx jetty.sslContext.keyManagerPassword=OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx jetty.sslContext.trustStorePassword=OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(Optional) Change the port Data Catalog uses to listen for SSL requests. By default, Data Catalog listens on port 4039.
<LDC-HOME/app-server>$ vi conf/install.properties ## The maximum allowed size in bytes for a HTTP request header #JETTY_REQUEST_HEADER_SIZE= LDC_JETTY_HTTP_PORT=8082 LDC_JETTY_HTTPS_PORT=4039 LDC_WEB_DAEMON_PORT=4082 LDC_SERVICE_USER=ldcuser LDC_LOG_DIR=/var/log/ldc
Start the app-server.
$ bin/app-server startAfter you configure and verify that SSL is working correctly, perform the following changes in the ldc-override-descriptor.xml file to force a redirect of all traffic over the secure HTTPS port.
Open the ldc-override-descriptor.xml file on a text editor using the following command:
$ vi jetty-distribution-9.4.18.v20190429/ldc-base/etc/ldc-override-descriptor.xmlThen add the following content under the
web-appelement:<web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>*</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app>
Setting up SSL from the Data Catalog components to other applications
To make sure the Data Catalog components use SSL when it connects as a client to other applications, such as databases, its own Postgres repository, and Solr, add the following option to the Data Catalog installation configuration install.properties file. You can locate the install.properties file in the <LDC Install Dir>/app-server/conf/ directory.
Edit the install.properties file to include the following additional property:
TRUST_STORE_FILE=/path/to/TrustStore
The Data Catalog start scripts for the Jetty web server use this setting to ensure the web server finds the certificate.
Both Metadata-server and agent components are shipped with a default trust store for their internal validations with the App-server component. Any custom or self-signed certificates must be imported into this trust store using keytool, and the path to this trust store must be provided in the install.properties file of both the agent and the Metadata server.
Use the following instructions:
- Import any custom and self-signed certificates to the Data Catalog's existing trust store for the Metadata server and agent(s).
$ cd <LDC-HOME>/metadata-server` $ keytool -importkeystore -srckeystore /path/to-custom/keystore -destkeystore /opt/ldc/metadata-server/conf/ldc-truststore $ cd <LDC-HOME>/agent` $ keytool -importkeystore -srckeystore /path/to-custom/keystore -destkeystore /opt/ldc/agent/conf/ldc-truststore - Add the path to this trust store in the
conf/install.propertiesfolder for both the Metadata-server and the agent(s) using the following commands:$ cd <LDC-HOME>/metadata-server` $ vi conf/install.properties
# Major version number only - can be either 5 or 7. SOLRJ_CLIENT_MAJOR_VERSION=7 TRUST_STORE_FILE=/opt/ldc/agent/conf/ldc-truststore #============================================ # Jetty Related configs #============================================ JETTY_MEMORY_ARGS="-Xss2m -Xms512m -Xmx6144m"
- Add the paths to the trust store for all agents using the method in the previous step.
Data Catalog components, such as adapters and utilities, should correctly use SSL when they connect as a client to other applications in the environment. To ensure this process, add the following option to their invocation scripts:
-Djavax.net.ssl.trustStore=/path/to/MyTrustStore
For example, when Cloudera Navigator is configured to receive requests using SSL, the Data Catalog Navigator adapter needs to know the location of the trust store when it is called. Edit the importOperations and exportTagAssociation scripts to include the additional parameter in the java command, as follows:
java -Djavax.net.ssl.trustStore=/path/to/TrustStore ${LOGGING_OPTS} -cp ${CONF}:${JAR}:${LIBJARS}:${RESOURCES} com.ldc.navigator.sync.NavigatorSynchronizer importOperations "$@"