Skip to main content

Appendix F: SSL Type between HDFS IDP and Controller

SSL Type is set to No SSL

No change needed.

SSL Type is set to 1-way SSL

For one way SSL we need to create keystore file at the server level (IDP in our case) and certificate is generated using this keystore file. The location of this keystore file and its password (encrypted form) is then added in the jetty.properties file of the IDP.

The corresponding certificate location is specified under dgcontroller.properties file to be added under the java trust store of the client (controller in our case).

IDP Changes

The Keystore and crt files needs to be created at the IDP side using the following two commands respectively:

CODE
keytool -genkey
-dname "CN=FULL_NAME, OU=UNIT, O=ORG, L=LOCALITY, ST=STATE, C=US"
-alias "ALIAS_NAME"
-keystore "kserver.keystore"
-storepass storepassword
-keypass
-keyalg RSA -sigalg SHA1withRSA

keytool -export 
-alias "ALIAS_NAME"
-keystore kserver.keystore 
-storepass storepassword 
-keypass keypass  
-rfc -file kserver.crt

modify /<InstallationPath>/Dataguise/DgSecure/IDPs/HDFSIDP/jetty-embedded.properties

CODE
keyStorePath =/path/to/kserver.keystore
keyManagerPassword = encrypted form of keypass
keyStorePassword = encrypted form of storepassword
needClientAuth = N
sslEnabled = Y

Controller Changes:

  1. The kserver.crt file generated at the IDP side needs to be copied on the machine where controller is installed.

  2. The path of this file needs to be specified under the variable “pathToCertKey” under the tomcat9\webapps\dgcontroller\WEB-INF\classes\ dgController.properties file.

  3. Restart tomcat.

  4. Login to Admin and enable SSL under the SSL Setting tab for HDFS IDP.

  5. Confirm the IDP is working by doing Test Connection on that IDP under the IDP tab in Admin.

SSL Type is set to 2-way SSL

For 2-way SSL, since the authentication needs to be done at both client and server end, we need to generate a set of two keystore files, one for the server (IDP) and another for the client(controller) for the server level authentication and similarly a set of two keystore files for the client level authentication.

The location of paths of these keystore files with their corresponding passwords are then defined under the IDP and controller properties files, respectively.

These keystores files are then added under trust manager and key manager of the SSL context at the controller side to perform a successful 2-way secure SSL communication between IDP and controller.

IDP Changes

  1. We shall be creating two keystore files for IDP side (server level) and two keystore files for controller side (Client level).

    CODE
    keytool -genkey 
    -dname "CN=FULL_NAME, OU=UNIT, O=ORG, L=LOCALITY, ST=STATE, C=US" 
    -alias "ALIAS_NAME" 
    -keystore "kserver.keystore" 
    -storepass storepassword  
    -keypass keypass 
    -keyalg RSA 
    -sigalg SHA1withRSA
    
    keytool -export 
    -alias "ALIAS_NAME" 
    -keystore kserver.keystore 
    -storepass storepassword 
    -keypass keypass 
    -rfc -file kserver.crt
    
    keytool -import 
    -alias "ALIAS_NAME" 
    -file kserver.crt 
    -storepass storepassword  
    -keypass keypass 
    -keystore tclient.keystore
  2. tclient.keystore generated here needs to be copied wherever the controller is installed.

  3. Please note when creating the keys, make sure to keep the value of keypass and storepassword the same.

Controller Side:

CODE
keytool -genkey 
-dname "CN=FULL_NAME, OU=UNIT, O=ORG, L=LOCALITY, ST=STATE, C=US" 
-alias "ALIAS_NAME" 
-keystore "kclient.keystore" 
-storepass storepassword  
-keypass keypass 
-keyalg RSA 
-sigalg SHA1withRSA

keytool -export 
-alias "ALIAS_NAME" 
-keystore kclient.keystore 
-storepass storepassword 
-keypass keypass 
-rfc -file kclient.crt

keytool -import 
-alias "ALIAS_NAME" 
-file kclient.crt 
-storepass storepassword  
-keypass keypass 
-keystore tserver.keystore
  1. Please note when creating the keys, make sure to keep the value of keypass and storepassword the same.

    Modify /<InstallationPath>/Dataguise/DgSecure/IDPs/HDFSIDP/jetty-embedded.properties


    keyStorePath = /<InstallationPath>/kserver.keystore

    keyManagerPassword = encrypted form of keypass  of kserver.keystore

    keyStorePassword = encrypted form of storepassword  of kserver.keystore

    trustStorePath = /path/to/tserver.keystore

    trustStorePassword = encrypted form of storepassword of tserver.keystore

    needClientAuth = Y

    sslEnabled = Y

*Note: All the keystore passwords used for creating these keystores files needs to be encrypted using the following dgcl command and then encrypted passwords are placed under the properties file under controller and IDP accordingly.

  1. Command for encrypting password in dgcl is
    encrypt password "passwordString";
    //"passwordString" means any password that needs to be encrypted


Controller Side:

  1. The kclient.keystore and tclient.keystore  files created at the IDP level needs to be copied wherever the controller is installed.

  2. The location of these keystore files and their respective passwords need to be specified under \<InstallationPath>\tomcat9\webapps\dgcontroller\WEB-INF\classes\dgController.properties file under following parameter:
    serverKeyStoreFileLocation = /path/to/kclient.keystore

    keyStorepasswordServer= encrypted form of kclient.keystore's storepassword

    clientKeyStoreFileLocation = /path/to/tclient.keystore

    keyStorepasswordClient= encrypted form of tclient.keystore's  storepassword

  3. Restart tomcat.

  4. Login to Admin and enable SSL under SSL Setting tab for HDFS IDP.

  5. Confirm the IDP is working by doing Test Connection on that IDP under the IDP tab in Admin.

Client-Side Configuration:

There are two ways a client could be configured for SSL:

  1. With CA (Certification Authority) Authentication - Client authenticates the certificate sent by the server by matching the CA that have signed the certificate with the list of CAs available at client side.

*Note: In PK Protect, if user needs to use self-signed certificates (which is not recommended due to security risks), then such certificates should be imported on the client-side trust store (JVM Default trust store) at following location: $JAVA_HOME/JRE/lib/security/cacerts or $JRE_HOME/lib/security/cacerts

We can use following keytool command to import certificate in JVM trust store.
keytool -import -alias <alias name> -keystore <keystorelocation>/cacerts -file <certificate file>

  1. Without CA Authentication - No client-side CA authentication takes place. This type of communication is not recommended since it could cause MITM attack, as attacker can impersonate Client or Server in this case since no CA authentication is happening.

  1. *Note: It is recommended to update JVM to its latest version because of updates in cypher algorithms and some updates in security feature happened in recent times due to advent of attacks like DROWN. Also, it is essential due to some conflicts between encryption algorithms that are used in old java version and updated algorithms used on server side.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.