Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide will assist you with importing a custom SSL certificate for enterprise and production Datameer X environments.

...

  1. Generate a private key and a certificate signing request (CSR) file before requesting CA authorized certificates:

    Create CSR file

    Code Block
    languagebash
    openssl req -new -newkey rsa:2048 -nodes -keyout <yourdomain>.key -out <yourdomain>.csr
  2. Download the certificates from the certificate authority (CA).

  3. Check your X.509 certificates:

    Check certificate

    Code Block
    languagebash
    openssl x509 -in <yourdomain>.crt -text -noout
  4. Generate a PKCS12 file:

    Generate PKCS12 file

    Code Block
    languagebash
    openssl pkcs12 -inkey <yourdomain>.key -in <yourdomanin>.crt -export -out datameer.p12 -name datameer

    This file bundles the private  key together with the public X.509 certificate and is a public key cryptographic standard. The private key needs to be protected by a password. For the key password, you can use keypwd

  5. Obfuscate the password.

    Obfuscate password

    Code Block
    languagebash
    [datameer@<host> current]$ java -cp lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password datameer keypwd
    <timestamp>:INFO::main: Logging initialized @75ms
    keypwd
    OBF:1u2u1wml1z7s1z7a1wnl1u2g
    MD5:4a27e9a4bd7a907bd04606dd05be4d25
    CRYPT:da3b2s9U.Q7Nw

    The obfuscated key password, in this example OBF:1u2u1wml1z7s1z7a1wnl1u2g , will need to be added to Datameer’s start.d/ssl.ini file under the parameter jetty.sslContext.keyManagerPassword.

Generate a keystore 

Generate a repository of security certificates for Datameer's embedded Jetty. For this process, use keytool

  1. Check the default keystore located in your Datameer X installation path within etc/:

    Check keystore

    Code Block
    languagebash
    [datameer@<host> current]$ keytool -list -v -keystore etc/keystore | grep -i 'jetty'
    Enter keystore password:  storepwd
    Alias name: jetty
    Owner: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown
  2. Backup the default keystore file:

    Backup keystore

    Code Block
    languagebash
    mv etc/keystore etc/keystore.original
  3. Ensure you no longer have a file named keystore within the etc/ path.

  4. Create a new Java KeyStore (JKS) file using the datameer.p12 file that was generated previously. The keystore must be protected by a password. 

    Create keystore

    Code Block
    languagebash
    keytool -importkeystore -srckeystore datameer.p12 -srcstoretype PKCS12 -destkeystore etc/keystore 

    For the keystore password you can use storepwd

  5. Obfuscate the password:

    Obfuscate password

    Code Block
    languagebash
    [datameer@<host> current]$ java -cp lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password datameer storepwd
    <timestamp>:INFO::main: Logging initialized @75ms
    storepwd
    OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
    MD5:7bfa04a176c6d48e5283e1c037e4668e
    CRYPT:dake2.vBb3e52

    The obfuscated keystore password, in this example OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 , will need to be added to Datameer’s start.d/ssl.ini file under the parameter jetty.sslContext.keyStorePassword.

  6. Check the generated keystore repository:

    Check keystore

    Code Block
    languagebash
    [datameer@<host> current]$ keytool -list -v -keystore etc/keystore | grep -i 'datameer'
    Enter keystore password:  storepwd
    Alias name: datameer
    Owner: <...>
    Issuer: <...>

...

  1. Check the current configuration:

    Check current config

    Code Block
    languagebash
    # The path to the keystore file 
    [datameer@<host> current]$ java -jar start.jar --list-config | grep -i 'StorePath ='
     jetty.sslContext.keyStorePath = etc/keystore
     jetty.sslContext.trustStorePath = etc/keystore
    # The necessary passwords 
    [datameer@<host> current]$ java -jar start.jar --list-config | grep -i 'Password ='
     jetty.sslContext.keyManagerPassword = OBF:1u2u1wml1z7s1z7a1wnl1u2g
     jetty.sslContext.keyStorePassword = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
     jetty.sslContext.trustStorePassword = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
  2. Back up the default configuration:

    Backup config

    Code Block
    languagebash
    cp start.d/ssl.ini start.d/ssl.ini.backup 
  3. Configure start.d/ssl.ini by locating and altering the following parameters:

    Info
    iconfalse
    Since this example uses default values, no changes are necessary.

    Configure start.d/ssl.ini

    Code Block
    languagebash
    jetty.ssl.port=<desired_port>						(default=8443)
    jetty.sslContext.keyStorePath=<path/to/keystore> 	(default=etc/keystore)
    jetty.sslContext.trustStorePath=<path/to/keystore> 	(default=etc/keystore)
    jetty.sslContext.keyStorePassword=<password>		(default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
    jetty.sslContext.keyManagerPassword=<password>		(default=OBF:1u2u1wml1z7s1z7a1wnl1u2g)
    jetty.sslContext.trustStorePassword=<password>		(default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4)
  4. Create a configuration change log:

    Create changelog

    Code Block
    languagebash
    diff -e start.d/ssl.ini.backup start.d/ssl.ini > changes.start.ini
  5. Restart the Datameer X service to enable the above changes and monitor the boot process:

    Restart and monitor

    Code Block
    languagebash
    [datameer@<host> current]$ ./bin/conductor.sh restart
    [datameer@<host> current]$ tail -f logs/conductor.log

...