This guide will assist you with importing a custom SSL certificate for enterprise and production Datameer X environments.
...
Generate a private key and a certificate signing request (CSR) file before requesting CA authorized certificates:
Create CSR file
Code Block language bash openssl req -new -newkey rsa:2048 -nodes -keyout <yourdomain>.key -out <yourdomain>.csr
Download the certificates from the certificate authority (CA).
Check your X.509 certificates:
Check certificate
Code Block language bash openssl x509 -in <yourdomain>.crt -text -noout
Generate a PKCS12 file:
Generate PKCS12 file
Code Block language bash openssl pkcs12 -inkey <yourdomain>.key -in <yourdomanin>.crt -export -out datameer.p12 -name datameer
This file bundles the private key together with the public X.509 certificate and is a public key cryptographic standard. The private key needs to be protected by a password. For the key password, you can use
keypwd
.Obfuscate the password.
Obfuscate password
Code Block language bash [datameer@<host> current]$ java -cp lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password datameer keypwd <timestamp>:INFO::main: Logging initialized @75ms keypwd OBF:1u2u1wml1z7s1z7a1wnl1u2g MD5:4a27e9a4bd7a907bd04606dd05be4d25 CRYPT:da3b2s9U.Q7Nw
The obfuscated key password, in this example
OBF:1u2u1wml1z7s1z7a1wnl1u2g
, will need to be added to Datameer’sstart.d/ssl.ini
file under the parameterjetty.sslContext.keyManagerPassword
.
Generate a keystore
Generate a repository of security certificates for Datameer's embedded Jetty. For this process, use keytool.
Check the default
keystore
located in your Datameer X installation path withinetc/
:Check keystore
Code Block language bash [datameer@<host> current]$ keytool -list -v -keystore etc/keystore | grep -i 'jetty' Enter keystore password: storepwd Alias name: jetty Owner: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown
Backup the default
keystore
file:Backup keystore
Code Block language bash mv etc/keystore etc/keystore.original
Ensure you no longer have a file named
keystore
within theetc/
path.Create a new Java KeyStore (JKS) file using the
datameer.p12
file that was generated previously. Thekeystore
must be protected by a password.Create keystore
Code Block language bash keytool -importkeystore -srckeystore datameer.p12 -srcstoretype PKCS12 -destkeystore etc/keystore
For the keystore password you can use
storepwd
.Obfuscate the password:
Obfuscate password
Code Block language bash [datameer@<host> current]$ java -cp lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password datameer storepwd <timestamp>:INFO::main: Logging initialized @75ms storepwd OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 MD5:7bfa04a176c6d48e5283e1c037e4668e CRYPT:dake2.vBb3e52
The obfuscated
keystore
password, in this exampleOBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
, will need to be added to Datameer’sstart.d/ssl.ini
file under the parameterjetty.sslContext.keyStorePassword
.Check the generated
keystore
repository:Check keystore
Code Block language bash [datameer@<host> current]$ keytool -list -v -keystore etc/keystore | grep -i 'datameer' Enter keystore password: storepwd Alias name: datameer Owner: <...> Issuer: <...>
...
Check the current configuration:
Check current config
Code Block language bash # The path to the keystore file [datameer@<host> current]$ java -jar start.jar --list-config | grep -i 'StorePath =' jetty.sslContext.keyStorePath = etc/keystore jetty.sslContext.trustStorePath = etc/keystore # The necessary passwords [datameer@<host> current]$ java -jar start.jar --list-config | grep -i 'Password =' jetty.sslContext.keyManagerPassword = OBF:1u2u1wml1z7s1z7a1wnl1u2g jetty.sslContext.keyStorePassword = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 jetty.sslContext.trustStorePassword = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
Back up the default configuration:
Backup config
Code Block language bash cp start.d/ssl.ini start.d/ssl.ini.backup
Configure
start.d/ssl.ini
by locating and altering the following parameters:Info icon false Since this example uses default values, no changes are necessary. Configure start.d/ssl.ini
Code Block language bash jetty.ssl.port=<desired_port> (default=8443) jetty.sslContext.keyStorePath=<path/to/keystore> (default=etc/keystore) jetty.sslContext.trustStorePath=<path/to/keystore> (default=etc/keystore) jetty.sslContext.keyStorePassword=<password> (default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 jetty.sslContext.keyManagerPassword=<password> (default=OBF:1u2u1wml1z7s1z7a1wnl1u2g) jetty.sslContext.trustStorePassword=<password> (default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4)
Create a configuration change log:
Create changelog
Code Block language bash diff -e start.d/ssl.ini.backup start.d/ssl.ini > changes.start.ini
Restart the Datameer X service to enable the above changes and monitor the boot process:
Restart and monitor
Code Block language bash [datameer@<host> current]$ ./bin/conductor.sh restart [datameer@<host> current]$ tail -f logs/conductor.log
...