| Table of Contents |
|---|
Prerequisites
Before you create a custom certificate, make sure your environment is ready:
Install Datameer and enable TLS.
- Install Java Cryptography Extension (JCE) for Java 7 or 8.
- Work within the
currentDatameer installation directory. Familiarize yourself with obfuscating passwords, as in the following example, where the password "changeit" is obfuscated:
Code Block language bash title Obfuscate password [datameer@<host> current]$ java -cp lib/jetty-util-* org.eclipse.jetty.util.security.Password <timestamp>:INFO::main: Logging initialized @75ms Usage - java org.eclipse.jetty.security.Password [<user>] <password> If the password is ?, the user will be prompted for the password # According # Usage - java org.eclipse.jetty.security.Password [<user>] <password> # the user value is optional [datameer@<host> current]$ java -cp lib/jetty-util-* org.eclipse.jetty.util.security.Password changeit <timestamp>:INFO::main: Logging initialized @75ms changeit OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 MD5:b91cd1a54781790beaa2baf741fa6789
Providing a Custom Certificate for Embedded Jetty
Get a certificate
Generate a private key and a certificate signing request (CSR) file before requesting CA authorized certificates:
Code Block language bash title Create CSR file openssl req -new -newkey rsa:2048 -nodes -keyout <yourdomain>.key -out <yourdomain>.csr
- Download the certificates from the certificate authority (CA).
Check your X.509 certificates:
Code Block language bash title Check certificate openssl x509 -in <yourdomain>.crt -text -noout
Generate a PKCS12 file:
Code Block language bash title Generate PKCS12 file openssl pkcs12 -inkey <yourdomain>.key -in <yourdomanin>.crt -export -out datameer.p12 -name datameer
This file bundles the private key together with the public X.509 certificate and is a public key cryptographic standard. The private key needs to be protected by a password
For the key password, you can use
keypwd.Code Block language bash title Obfuscate password [datameer@<host> current]$ java -cp lib/jetty-util-* org.eclipse.jetty.util.security.Password datameer keypwd <timestamp>:INFO::main: Logging initialized @75ms keypwd OBF:1u2u1wml1z7s1z7a1wnl1u2g MD5:4a27e9a4bd7a907bd04606dd05be4d25 CRYPT:da3b2s9U.Q7Nw
The obfuscated key password, in this example
OBF:1u2u1wml1z7s1z7a1wnl1u2gforkeypwd, needs to be provided later asjetty.keymanager.passwordin Jetty'sstart.inifile.
Generate a keystore
Generate a repository of security certificates for Datameer's embedded Jetty. For this process, use keytool.
Check the default keystore:
Code Block language bash title Check keystore [datameer@<host> current]$ keytool -list -v -keystore etc/keystore | grep -i 'jetty' Enter keystore password: storepwd Alias name: jetty Owner: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown
Back up the default
keystorefile:Code Block language bash title Backup keystore mv etc/keystore etc/keystore.original
Create a new Java KeyStore (JKS) file using the
datameer.p12file that was generated previously. The keystore needs to be protected by a password.Code Block language bash title Create keystore keytool -importkeystore -srckeystore datameer.p12 -srcstoretype PKCS12 -destkeystore etc/keystore
For the keystore password you can use
storepwd.Code Block language bash title Obfuscate password [datameer@<host> current]$ java -cp lib/jetty-util-* org.eclipse.jetty.util.security.Password datameer storepwd <timestamp>:INFO::main: Logging initialized @75ms storepwd OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 MD5:7bfa04a176c6d48e5283e1c037e4668e CRYPT:dake2.vBb3e52
The obfuscated keystore password, in this example
OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4forstorepwd, needs to be provided later asjetty.keystore.passwordin Jetty'sstart.inifile.Check the generated repository:
Code Block language bash title Check keystore [datameer@<host> current]$ keytool -list -v -keystore etc/keystore | grep -i 'datameer' Enter keystore password: storepwd Alias name: datameer Owner: <...> Issuer: <...>
Use your own keystore
To use the custom certificate stored in the created Java KeyStore (JKS) file, configure the start up configuration file.
Check the current configuration:
Code Block language bash title Check current config # The path to the keystore file [datameer@<host> current]$ java -jar start.jar --list-config | grep -i 'store =' jetty.keystore = etc/keystore jetty.truststore = etc/keystore # The necessary passwords [datameer@<host> current]$ java -jar start.jar --list-config | grep -i 'password' jetty.keymanager.password = OBF:1u2u1wml1z7s1z7a1wnl1u2g jetty.keystore.password = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 jetty.truststore.password = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
Back up the default configuration:
Code Block language bash title Backup config cp start.ini start.ini.original
Configure
start.ini:Info icon false Since this example uses default values, no changes are necessary. Code Block language bash title Configure start.ini ## Set up a demonstration keystore and truststore jetty.keystore=etc/keystore jetty.truststore=etc/keystore ## Set the demonstration passwords ## Note that OBF passwords are not secure, just protected from casual observation ## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html jetty.keystore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 # storepwd jetty.keymanager.password=OBF:1u2u1wml1z7s1z7a1wnl1u2g # keypwd jetty.truststore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 # storepwd
Create a configuration change log:
Code Block language bash title Create changelog diff -e start.ini.original start.ini > changes.start.ini
Restart Datameer to make the change active and monitor the boot process:
Code Block language bash title Start and monitor dmstart dmlog
Renew certificate
Certificates typically have an expiration date, so it is necessary to renew them. To do, so just follow the following steps again:
Anchor trustcertificates trustcertificates
Trusting Custom Certificates from Other Services
| trustcertificates | |
| trustcertificates |
The Java Virtual Machine (JVM) enforces security and validates the certification path to the requested target. If the certificate isn't provided from a generally trusted root certificate, you need to trust the certificate by adding it into the truststore of the Java Virtual Machine (JVM) that runs Datameer.
Gather the certificate:
Code Block language bash title Gather certificate openssl s_client -connect <host>.<domain>.<tld>:<port> -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > <yourservice>.pem
Validate the certificate:
Code Block language bash title Validate certificate openssl x509 -in <yourservice>.pem -inform pem -noout -text
Trust the certificate by importing it:
Code Block language bash title Import certificate sudo keytool -keystore ${JAVA_HOME}/jre/lib/security/cacerts -storepass changeit -import -trustcacerts -v -alias <yourservice> -file <yourservice>.pemStart and stop Datameer service:
Code Block language bash title Start and stop dmstop # This will create a new instance of the JVM dmstart dmlog
Further Information
For more information, refer to the Secure Socket Extension (JSSE) Reference Guide.
| Info | ||
|---|---|---|
| ||
The JDK ships with a limited number of trusted root certificates in the <java-home>/lib/security/cacerts file. As documented in keytool , it is your responsibility to maintain (that is, add/remove) the certificates contained in this file if you use this file as a truststore. |
You can also review available documentation from Hadoop distributors, such as Creating Java Keystores and Truststores, Understanding the SSL Keystore Factory, and Demystify LDAP, SSL, CA Cert integration. If you want to connect to an specific service, see vendor documentation such as Configure External SSL for Tableau.