Skip to main content
Hitachi Vantara Lumada and Pentaho Documentation

SSL configuration

Parent article

There are two ways that the Lumada Data Catalog takes advantage of Secure Sockets Layer (SSL) when communicating with other applications:

  • Requests to the web server from browsers
  • Requests to other applications from the web server and other Data Catalog components

These implementations involve separate configuration steps.

Set up SSL from browsers to the Data Catalog web server

You can configure Data Catalog to listen through SSL for requests from browsers. This setup requires:
  • Server X.509 certificate for the external application server address. This can be a real RSA, VeriSign, or similar certificate or a self-signed certificate.
  • Secure keystore inside Data Catalog web application server distribution.

The Jetty documentation provides instructions for generating a self-signed certificate and for creating and loading keystore values: Generating key pairs and certificates

The Data Catalog web application configuration is included in the following directory:

Configuration files include:

ComponentConfiguration File Location
Location base<WLD Install Dir>/app-server/jetty-distribution-*/waterlinedata-base
Keystoreetc/keystore
HTTPSstart.d/https.ini
SSL start.d/ssl.ini
Location base<WLD Install Dir>/app-server/conf
Portinstall.properties

Perform the following steps to update these files for SSL:

Procedure

  1. Copy or symlink the keystore file to the web server configuration directory:

    $ cp /path/to/officialkeystore <install_location>/waterlinedata/jetty-distribution-9.4.11.v20180605/waterlinedata-base/etc

  2. Change the name of the keystore file to "keystore", overwriting the existing sample file:

    $ cd <install_location>/app-server`

    $ mv jetty-distribution-9.4.11.v20180605/waterlinedata-base/etc/officialkeystore jetty-distribution-9.4.11.v20180605/waterlinedata-base/etc/keystore

  3. Stop the Data Catalog services.

    $ bin/app-server Stop

  4. Obfuscate the password and use the obfuscated string (OBF:XXXX) to update the password in ssl.ini for all three arguments: jetty.keystore.password, jetty.keymanager.password, jetty.truststore.password.

    $ java -cp jetty-distribution-9.4.11.v20180605/lib/jetty-util-9.4.11.v20180605.jar org.eclipse.jetty.util.security.Password s3cr3t

    $ vi jetty-distribution-9.4.11.v20180605/waterlinedata-base/start.d/ssl.ini

    For specific details on obfuscating passwords, refer to the Jetty documentation on secure password obfuscation.

  5. If desired, change the port Data Catalog uses to listen for SSL requests. By default, Data Catalog listens on 4039.

    $ vi conf/install.properties

    $ bin/app-server Start

  6. After you configure and verify that SSL is working correctly, to force redirect all traffic over the secure HTTPS port, perform the following changes:

    1. Open the waterlinedata-override-descriptor.xml file on the Vi text editor using the following command:

      $ vi jetty-distribution-9.4.11.v20180605/waterlinedata-base/etc/waterlinedata-override-descriptor.xml

    2. Then add the following content under the web-app element:

      <web-app>
          ...
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>*</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
          ...    
      </web-app>

Setting up SSL from the Data Catalog components to other applications

Web server

To make sure the Data Catalog web server uses SSL when it connects as a client to other applications, such as databases and Solr, add the following option to the Data Catalog installation configuration (install.properties): Edit the install.properties file <WLD Install Dir>/app-server/conf/install.properties to include the following additional property:

TRUST_STORE_FILE=/path/to/TrustStore

The Data Catalog start scripts for the Jetty web server use this setting to ensure the web server finds the certificate.

Other components

To make sure Data Catalog components such as adapters and utilities appropriately use SSL when they connect as a client to other applications in the environment, add the following option to their invocation scripts:

-Djavax.net.ssl.trustStore=/path/to/MyTrustStore

For example, when Cloudera Navigator is configured to receive requests using SSL, the Data Catalog Navigator adapter needs to know the location of the trust store when it is invoked. To add this parameter to the invocation, edit the importOperations and exportTagAssociation scripts to include the additional parameter in the java command:

java -Djavax.net.ssl.trustStore=/path/to/TrustStore ${LOGGING_OPTS} -cp ${CONF}:${JAR}:${LIBJARS}:${RESOURCES} com.waterlinedata.navigator.sync.NavigatorSynchronizer importOperations "$@"