Enabling SSL with Datameer

Owned by Juliane Wetzel
Last updated: Aug 17, 2023 by Konsta Danyliuk (Deactivated)

 

INFO

SSL shall be enabled for using Datameer X in enterprise or production environments. Note that even if you enable a firewall to ensure that only SSL is available, Datameer X uses both HTTP and HTTPS services. For using Datameer X on a standard port (443), system administrators need to implement additional configuration.

This change eliminates the need to type ':8443' at the end of the URL each time they access Datameer.

All port changes should be made in the 'start.ini' file, which overrides 'jetty.port'.

Enabling and Configuring SSL

The following commands will enable SSL and disable normal HTTP traffic.

Important! The enable-ssl.sh script uses relies on the GNU version of the sed utility and might not work as expected if your terminal uses another implementation. We recommend checking this before running the script. Please reach Datameer support if you observe any issues.

  1. Change your working path to where you have installed the target Datameer X distribution.

  2. Stop the Datameer X service if currently running with:

    $ ./bin/conductor.sh stop

  3. Execute the bin/enable-ssl.sh script. Example:

    [Datameer-11.1.8-emr-6.1.0]$ ./bin/enable-ssl.sh Java found. (version 1.8) Disabling http module. Changes to DAS_PORT in das-env.sh will have no effect anymore. Creating https.ini in start.d/ WARN : Use both ${jetty.base}/start.d and ${jetty.base}/start.ini is deprecated INFO : https initialized in ${jetty.base}/start.d/https.ini INFO : ssl transitively enabled, ini template available with --add-to-start=ssl COPY : ${jetty.base}/modules/ssl/keystore to ${jetty.base}/etc/keystore INFO : Base directory was modified Creating ssl.ini in start.d/ WARN : Use both ${jetty.base}/start.d and ${jetty.base}/start.ini is deprecated INFO : ssl initialized in ${jetty.base}/start.d/ssl.ini INFO : Base directory was modified Datameer will use default configuration. If a non standard configuration is required, edit start.d/ssl.ini. Refer to Datameer Documentation for more details.

  4. If required, edit the start.d/ssl.ini file to customize the configuration to match your environmental variables.

    jetty.ssl.port=<desired_port> (default=8443) jetty.sslContext.keyStorePath=<path/to/keystore> (default=etc/keystore) jetty.sslContext.trustStorePath=<path/to/keystore> (default=etc/keystore) jetty.sslContext.keyStorePassword=<password> (default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 jetty.sslContext.keyManagerPassword=<password> (default=OBF:1u2u1wml1z7s1z7a1wnl1u2g) jetty.sslContext.trustStorePassword=<password> (default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4)

  5. Start the Datameer X service with:

The following commands will disable SSL and restore normal HTTP traffic.

  1. Change your working path to where you have installed the target Datameer X distribution.

  2. Stop the Datameer service if currently running with:

  3. Disable SSL using the following script:

    Note: For Datameer X versions v11.1.5 and earlier, the HTTP module is not activated automatically when executing the above script.

  4. Start Datameer X with:

Prevent Loading of Mixed Content

INFO

Datameer X sends unencrypted traffic via unencrypted ports (HTTP) as well as encrypted traffic via encrypted ports (HTTPS). Encrypted traffic can not be displayed properly when received via an unencrypted port.

To prevent the loading of mixed content, consider the following:

  1. Enable traffic through your network’s firewall for port 8443 to the Datameer host.

  2. Disable traffic through your network’s firewall for port 8080 to the Datameer host.

  3. Change your network’s load balancer redirection to send 443 traffic via port 8443 to the Datameer X host.

  4. Enable the Jetty SSL module within the Datameer X installation. This action will have already been completed if you followed the steps above.

  5. Disable the HTTP module within the Datameer X installation. Once again, this step will have already been completed if you followed the steps above.

Custom Certificates

Caveats

According to w3.org documentation, ports below 1024 are considered privileged on Linux. Only root can bind to such ports. Otherwise, the embedded Jetty web service will fail to start. 

Example output from logs/<date>.stderrout.log:

 

Port forwarding 

Example details for port forwarding.

Please refer to your environment’s standards before modifying iptables: