Enabling SSL with Datameer
INFO
SSL shall be enabled for using Datameer X in enterprise or production environments. Note that even if you enable a firewall to ensure that only SSL is available, Datameer X uses both HTTP and HTTPS services. For using Datameer X on a standard port (443), system administrators need to implement additional configuration.
This change eliminates the need to type ':8443' at the end of the URL each time they access Datameer.
All port changes should be made in the 'start.ini' file, which overrides 'jetty.port'.
Enabling and Configuring SSL
The following commands will enable SSL and disable normal HTTP traffic.
Important! The enable-ssl.sh script uses relies on the GNU version of the sed utility and might not work as expected if your terminal uses another implementation. We recommend checking this before running the script. Please reach Datameer support if you observe any issues.
Change your working path to where you have installed the target Datameer X distribution.
Stop the Datameer X service if currently running with:
$ ./bin/conductor.sh stop
Execute the
bin/enable-ssl.sh
script. Example:[Datameer-11.1.8-emr-6.1.0]$ ./bin/enable-ssl.sh Java found. (version 1.8) Disabling http module. Changes to DAS_PORT in das-env.sh will have no effect anymore. Creating https.ini in start.d/ WARN : Use both ${jetty.base}/start.d and ${jetty.base}/start.ini is deprecated INFO : https initialized in ${jetty.base}/start.d/https.ini INFO : ssl transitively enabled, ini template available with --add-to-start=ssl COPY : ${jetty.base}/modules/ssl/keystore to ${jetty.base}/etc/keystore INFO : Base directory was modified Creating ssl.ini in start.d/ WARN : Use both ${jetty.base}/start.d and ${jetty.base}/start.ini is deprecated INFO : ssl initialized in ${jetty.base}/start.d/ssl.ini INFO : Base directory was modified Datameer will use default configuration. If a non standard configuration is required, edit start.d/ssl.ini. Refer to Datameer Documentation for more details.
If required, edit the
start.d/ssl.ini
file to customize the configuration to match your environmental variables.jetty.ssl.port=<desired_port> (default=8443) jetty.sslContext.keyStorePath=<path/to/keystore> (default=etc/keystore) jetty.sslContext.trustStorePath=<path/to/keystore> (default=etc/keystore) jetty.sslContext.keyStorePassword=<password> (default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 jetty.sslContext.keyManagerPassword=<password> (default=OBF:1u2u1wml1z7s1z7a1wnl1u2g) jetty.sslContext.trustStorePassword=<password> (default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4)
Start the Datameer X service with:
The following commands will disable SSL and restore normal HTTP traffic.
Change your working path to where you have installed the target Datameer X distribution.
Stop the Datameer service if currently running with:
Disable SSL using the following script:
Note: For Datameer X versions v11.1.5 and earlier, the HTTP module is not activated automatically when executing the above script.
Start Datameer X with:
Prevent Loading of Mixed Content
INFO
Datameer X sends unencrypted traffic via unencrypted ports (HTTP) as well as encrypted traffic via encrypted ports (HTTPS). Encrypted traffic can not be displayed properly when received via an unencrypted port.
To prevent the loading of mixed content, consider the following:
Enable traffic through your network’s firewall for port
8443
to the Datameer host.Disable traffic through your network’s firewall for port
8080
to the Datameer host.Change your network’s load balancer redirection to send
443
traffic via port8443
to the Datameer X host.Enable the Jetty SSL module within the Datameer X installation. This action will have already been completed if you followed the steps above.
Disable the HTTP module within the Datameer X installation. Once again, this step will have already been completed if you followed the steps above.
Custom Certificates
Caveats
According to w3.org documentation, ports below 1024
are considered privileged on Linux. Only root
can bind to such ports. Otherwise, the embedded Jetty web service will fail to start.
Example output from logs/<date>.stderrout.log
:
Port forwarding
Example details for port forwarding.
Please refer to your environment’s standards before modifying iptables
: