{"type":"doc","content":[{"type":"paragraph","content":[{"text":"This guide will assist you with importing a custom SSL certificate for enterprise and production Datameer X environments.","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"63e4ecd6-6a2f-4f4f-8a71-48f95efed3b1"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"cf22d69e-2c49-4b7d-8dd4-e8004f70ee00"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"paragraph","content":[{"text":"Before you attempt to create a custom certificate, check the following to ensure your environment is ready:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Install","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/DAS110/pages/9645138311"}}]},{"text":" Datameer X and ","type":"text"},{"text":"Enable SSL","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/DAS110/pages/33544077313"}}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Install the ","type":"text"},{"text":"Java Cryptography Extension","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.oracle.com/cd/E19398-01/820-1228/auto25/index.html"}}]},{"text":" (JCE) for your version of Java.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Work within the ","type":"text"},{"text":"current","type":"text","marks":[{"type":"code"}]},{"text":" Datameer X installation directory.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Familiarize yourself with ","type":"text"},{"text":"obfuscating passwords","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.oracle.com/cd/E35822_01/server.740/es_admin/src/tadm_ssl_jetty_passwords.html"}}]},{"text":". The following is an example where the password \"changeit\" is obfuscated:","type":"text"}]},{"type":"paragraph","content":[{"text":"Obfuscate password","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"none"},"content":[{"text":"[datameer@ current]$ java -cp ./lib/jetty-util-.jar org.eclipse.jetty.util.security.Password\n:INFO::main: Logging initialized @75ms\nUsage - java org.eclipse.jetty.security.Password [] \nIf the password is ?, the user will be prompted for the password\n# According \n# Usage - java org.eclipse.jetty.security.Password [] \n# the user value is optional \n[datameer@ current]$ java -cp lib/jetty-util-.jar org.eclipse.jetty.util.security.Password changeit\n:INFO::main: Logging initialized @75ms\nchangeit\nOBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0\nMD5:b91cd1a54781790beaa2baf741fa6789","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Providing a Custom Certificate for Embedded Jetty","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Get a certificate","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Generate a ","type":"text"},{"text":"private key","type":"text","marks":[{"type":"link","attrs":{"href":"https://en.wikipedia.org/wiki/Public-key_cryptography"}}]},{"text":" and a ","type":"text"},{"text":"certificate signing request (CSR)","type":"text","marks":[{"type":"link","attrs":{"href":"https://en.wikipedia.org/wiki/Certificate_signing_request"}}]},{"text":" file before requesting CA authorized certificates:","type":"text"}]},{"type":"paragraph","content":[{"text":"Create CSR file","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"openssl req -new -newkey rsa:2048 -nodes -keyout .key -out .csr","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Download the certificates from the ","type":"text"},{"text":"certificate authority (CA)","type":"text","marks":[{"type":"link","attrs":{"href":"https://en.wikipedia.org/wiki/Certificate_authority"}}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check your ","type":"text"},{"text":"X.509 certificates","type":"text","marks":[{"type":"link","attrs":{"href":"https://en.wikipedia.org/wiki/X.509#Certificates"}}]},{"text":":","type":"text"}]},{"type":"paragraph","content":[{"text":"Check certificate","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"openssl x509 -in .crt -text -noout","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Generate a ","type":"text"},{"text":"PKCS12","type":"text","marks":[{"type":"link","attrs":{"href":"https://en.wikipedia.org/wiki/PKCS_12"}}]},{"text":" file:","type":"text"}]},{"type":"paragraph","content":[{"text":"Generate PKCS12 file","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"openssl pkcs12 -inkey .key -in .crt -export -out datameer.p12 -name datameer","type":"text"}]},{"type":"paragraph","content":[{"text":"This file bundles ","type":"text"},{"text":"the private ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#252525"}}]},{"text":" ","type":"text"},{"text":"key together with the public X.509 certificate and is a public key cryptographic standard. The private key needs to be protected by a password. ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#252525"}}]},{"text":"For the key password, you can use ","type":"text"},{"text":"keypwd","type":"text","marks":[{"type":"code"}]},{"text":". ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Obfuscate the password.","type":"text"}]},{"type":"paragraph","content":[{"text":"Obfuscate password","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"[datameer@ current]$ java -cp lib/jetty-util-.jar org.eclipse.jetty.util.security.Password datameer keypwd\n:INFO::main: Logging initialized @75ms\nkeypwd\nOBF:1u2u1wml1z7s1z7a1wnl1u2g\nMD5:4a27e9a4bd7a907bd04606dd05be4d25\nCRYPT:da3b2s9U.Q7Nw","type":"text"}]},{"type":"paragraph","content":[{"text":"The obfuscated key password, in this example ","type":"text"},{"text":"OBF:1u2u1wml1z7s1z7a1wnl1u2g","type":"text","marks":[{"type":"code"}]},{"text":" , will need to be added to Datameer’s ","type":"text"},{"text":"start.d/ssl.ini","type":"text","marks":[{"type":"code"}]},{"text":" file under the parameter ","type":"text"},{"text":"jetty.sslContext.keyManagerPassword","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Generate a keystore ","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#555555"}}]},{"text":"Generate a repository of security certificates for Datameer's embedded Jetty. For this process, use ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#252525"}}]},{"text":"keytool","type":"text","marks":[{"type":"textColor","attrs":{"color":"#252525"}},{"type":"link","attrs":{"href":"https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html"}}]},{"text":". ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#252525"}}]},{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#555555"}}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check the default ","type":"text"},{"text":"keystore","type":"text","marks":[{"type":"code"}]},{"text":" located in your Datameer X installation path within ","type":"text"},{"text":"etc/","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]},{"type":"paragraph","content":[{"text":"Check keystore","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"[datameer@ current]$ keytool -list -v -keystore etc/keystore | grep -i 'jetty'\nEnter keystore password: storepwd\nAlias name: jetty\nOwner: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown\nIssuer: CN=jetty.mortbay.org, OU=Jetty, O=Mort Bay Consulting Pty Ltd, L=Unknown, ST=Unknown, C=Unknown","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Backup the default ","type":"text"},{"text":"keystore","type":"text","marks":[{"type":"code"}]},{"text":" file:","type":"text"}]},{"type":"paragraph","content":[{"text":"Backup keystore","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"mv etc/keystore etc/keystore.original","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Ensure you no longer have a file named ","type":"text"},{"text":"keystore","type":"text","marks":[{"type":"code"}]},{"text":" within the ","type":"text"},{"text":"etc/","type":"text","marks":[{"type":"code"}]},{"text":" path.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a new Java KeyStore (JKS) file using the ","type":"text"},{"text":"datameer.p12","type":"text","marks":[{"type":"code"}]},{"text":" file that was generated previously. ","type":"text"},{"text":"The ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#252525"}}]},{"text":"keystore","type":"text","marks":[{"type":"code"}]},{"text":" must be protected by a password. ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#252525"}}]}]},{"type":"paragraph","content":[{"text":"Create keystore ","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"keytool -importkeystore -srckeystore datameer.p12 -srcstoretype PKCS12 -destkeystore etc/keystore ","type":"text"}]},{"type":"paragraph","content":[{"text":"For the keystore password you can use ","type":"text"},{"text":"storepwd","type":"text","marks":[{"type":"code"}]},{"text":". ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Obfuscate the password:","type":"text"}]},{"type":"paragraph","content":[{"text":"Obfuscate password","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"[datameer@ current]$ java -cp lib/jetty-util-.jar org.eclipse.jetty.util.security.Password datameer storepwd\n:INFO::main: Logging initialized @75ms\nstorepwd\nOBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4\nMD5:7bfa04a176c6d48e5283e1c037e4668e\nCRYPT:dake2.vBb3e52","type":"text"}]},{"type":"paragraph","content":[{"text":"The obfuscated ","type":"text"},{"text":"keystore","type":"text","marks":[{"type":"code"}]},{"text":" password, in this example ","type":"text"},{"text":"OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4","type":"text","marks":[{"type":"code"}]},{"text":" , will need to be added to Datameer’s ","type":"text"},{"text":"start.d/ssl.ini","type":"text","marks":[{"type":"code"}]},{"text":" file under the parameter ","type":"text"},{"text":"jetty.sslContext.keyStorePassword","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check the generated ","type":"text"},{"text":"keystore","type":"text","marks":[{"type":"code"}]},{"text":" repository:","type":"text"}]},{"type":"paragraph","content":[{"text":"Check keystore","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"[datameer@ current]$ keytool -list -v -keystore etc/keystore | grep -i 'datameer'\nEnter keystore password: storepwd\nAlias name: datameer\nOwner: <...>\nIssuer: <...>","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Use your own keystore","type":"text"}]},{"type":"paragraph","content":[{"text":"To use the custom certificate stored in the created Java Keystore (JKS) file, configure the start up configuration file. ","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check the current configuration:","type":"text"}]},{"type":"paragraph","content":[{"text":"Check current config","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"# The path to the keystore file \n[datameer@ current]$ java -jar start.jar --list-config | grep -i 'StorePath ='\n jetty.sslContext.keyStorePath = etc/keystore\n jetty.sslContext.trustStorePath = etc/keystore\n# The necessary passwords \n[datameer@ current]$ java -jar start.jar --list-config | grep -i 'Password ='\n jetty.sslContext.keyManagerPassword = OBF:1u2u1wml1z7s1z7a1wnl1u2g\n jetty.sslContext.keyStorePassword = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4\n jetty.sslContext.trustStorePassword = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Back up the default configuration:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#555555"}}]}]},{"type":"paragraph","content":[{"text":"Backup config","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"cp start.d/ssl.ini start.d/ssl.ini.backup ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure","type":"text","marks":[{"type":"textColor","attrs":{"color":"#555555"}}]},{"text":" ","type":"text"},{"text":"start.d/ssl.ini","type":"text","marks":[{"type":"code"}]},{"text":" by locating and altering the following parameters:","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"false

Since this example uses default values, no changes are necessary.

","block-inline":true,"nestedContent":{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Since this example uses default values, no changes are necessary.","type":"text"}]}]}],"version":1},"reason":"An info macro in a list item can't be created or edited in the new editor."}}}]},{"type":"paragraph","content":[{"text":"Configure start.d/ssl.ini","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"jetty.ssl.port=\t\t\t\t\t\t(default=8443)\njetty.sslContext.keyStorePath= \t(default=etc/keystore)\njetty.sslContext.trustStorePath= \t(default=etc/keystore)\njetty.sslContext.keyStorePassword=\t\t(default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4\njetty.sslContext.keyManagerPassword=\t\t(default=OBF:1u2u1wml1z7s1z7a1wnl1u2g)\njetty.sslContext.trustStorePassword=\t\t(default=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a configuration change log:","type":"text"}]},{"type":"paragraph","content":[{"text":"Create changelog","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"diff -e start.d/ssl.ini.backup start.d/ssl.ini > changes.start.ini","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart the Datameer X service to enable the above changes and monitor the boot process:","type":"text"}]},{"type":"paragraph","content":[{"text":"Restart and monitor","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"[datameer@ current]$ ./bin/conductor.sh restart\n[datameer@ current]$ tail -f logs/conductor.log","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Renew certificate","type":"text"}]},{"type":"paragraph","content":[{"text":"Certificates typically have an expiration date as such it is necessary to renew them to prevent Datameer X from loading out of date certificates. To do so, complete the ","type":"text"},{"text":"following steps","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/DAS110/pages/33544077364"}}]},{"text":":","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Get own certificate","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Generate own keystore ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Use own keystore","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":" ","type":"text"},{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"trustcertificates"}},"macroMetadata":{"macroId":{"value":"b6a01bf6-66cf-4413-9b39-93b914258a0e"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"4c1821f6-bc53-4c48-990e-d82a337a27ad"}},{"text":"Trusting Custom Certificates from Other Services","type":"text"}]},{"type":"paragraph","content":[{"text":"The Java Virtual Machine (JVM) enforces security and validates the certification path to the requested target. If the certificate isn't provided from a generally trusted ","type":"text"},{"text":"root certificate","type":"text","marks":[{"type":"link","attrs":{"href":"https://en.wikipedia.org/wiki/Root_certificate"}}]},{"text":", you must trust the certificate by adding it to the ","type":"text"},{"text":"truststore","type":"text","marks":[{"type":"code"}]},{"text":" of the Java Virtual Machine (JVM) that runs Datameer. ","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Gather the certificate:","type":"text"}]},{"type":"paragraph","content":[{"text":"Gather certificate","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"openssl s_client -connect ..: -showcerts /dev/null | openssl x509 -outform PEM > .pem","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Validate the certificate:","type":"text"}]},{"type":"paragraph","content":[{"text":"Validate certificate","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"openssl x509 -in .pem -inform pem -noout -text","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Trust the certificate by importing it:","type":"text"}]},{"type":"paragraph","content":[{"text":"Import certificate","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"sudo keytool -keystore ${JAVA_HOME}/jre/lib/security/cacerts -storepass changeit -import -trustcacerts -v -alias -file .pem","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart the Datameer X service to enable the above changes and monitor the boot process:","type":"text"}]},{"type":"paragraph","content":[{"text":"Restart and monitor","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"[datameer@ current]$ ./bin/conductor.sh restart\n[datameer@ current]$ tail -f logs/conductor.log","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Further Information ","type":"text"}]},{"type":"paragraph","content":[{"text":"For more information, refer to the ","type":"text"},{"text":"Secure Socket Extension (JSSE) Reference Guide","type":"text","marks":[{"type":"link","attrs":{"href":"http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html"}}]},{"text":". ","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The JDK ships with a limited number of trusted root certificates in the /lib/security/cacerts file. As documented in ","type":"text"},{"text":" keytool ","type":"text","marks":[{"type":"link","attrs":{"href":"http://docs.oracle.com/javase/7/docs/technotes/tools/index.html#security"}}]},{"text":", it is your responsibility to maintain (that is, add/remove) the certificates contained in this file if you use this file as a truststore.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"You can also review available documentation from Hadoop distributors, such as ","type":"text"},{"text":"Creating Java Keystores and Truststores","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_create_key_trust.html"}}]},{"text":", ","type":"text"},{"text":"Understanding the SSL Keystore Factory","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/ch_wire-https.html"}}]},{"text":", and ","type":"text"},{"text":"Demystify LDAP, SSL, CA Cert integration","type":"text","marks":[{"type":"link","attrs":{"href":"https://community.hortonworks.com/articles/14900/demystify-knox-ldap-ssl-ca-cert-integration-1.html"}}]},{"text":". If you want to connect to an specific service, see vendor documentation such as ","type":"text"},{"text":"Configure External SSL for Tableau","type":"text","marks":[{"type":"link","attrs":{"href":"https://onlinehelp.tableau.com/current/server/en-us/ssl_config.htm"}}]},{"text":".","type":"text"}]}],"version":1}

Browser not supported