...
| Info |
|---|
Valid as of Datafari 5.1 The documentation below is valid both for Datafari CE and Datafari EE |
Starting from Datafari 5.1, we have decided to put as open source the https/ssl security of Datafari, because we want our open source users to also work in a secure environment. You will find more explanations in the subpages.
...
| Info |
|---|
Valid from 4.0The documentation below is valid from Datafari v4.0.0 upwards |
Datafari enterprise edition comes out of the box with the possibility to enable the SSL protocol. This protocol allows to strongly encrypt the data transfert between different systems.
This section describes how to configure HTTPS/SSL on the different components of Datafari, and also explains how to update your certificate. For technical explanations on why and how it works, please check /wiki/spaces/DATAFARI/pages/564625505
The protocol is used on Datafari, Solr, and Kibana which are, according to us, the critical parts of the product concerning the data. Unfortunately, Elasticsearch does not provide a simple way to use the SSL protocol , so either you have to purchase their "Shield" extension which provides a very easy way to implement security for ES, either you have to manually configure a proxy server.
The following documentation describes how the SSL protocol has been implemented and how you can configure it to fits with your needs.The first thing to take into consideration is that Datafari is using a single self signed certificate having "localhost" as CN (Common Name). This is the reason why the first thing you should do is to replace this certificate by your/yours.
To do this, let's begin to see where the certificate is located. In the installation directory of Datafari you will find a folder named "ssl-keystore" which contains 5 files:
...
| Note |
|---|
The password for the keystores is 'DataFariAdmin' |
Two different versions of the keystore and the certificate have been generated to cover the JAVA and PKCS12 formats. The reason is that some applications only support PKCS12/PEM format, like Kibana for example.
Now how those files are used ? Let explain it for each application
Datafari
To begin with, let's be clear, when speaking of Datafari we are speaking of Tomcat. As it is the container of the Datafari webapp, Tomcat is configured to force the SSL protocol. If you look at the 'server.xml' file located in '{Datafari_Install_Dir}/tomcat/conf' and search for the connector of the 8433 port, you will find these lines:
| Code Block |
|---|
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="../ssl-keystore/datafari-keystore.jks" keystorePass="DataFariAdmin"
clientAuth="false" sslProtocol="TLS"/> |
...
| Code Block |
|---|
<security-constraint>
<web-resource-collection>
<web-resource-name>Datafari</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint> |
...
| Code Block |
|---|
export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=${DATAFARI_HOME}/ssl-keystore/datafari-keystore.jks -Djavax.net.ssl.trustStorePassword=DataFariAdmin" |
The trustStore is used to identifies the trusted certificates. When a request will be sent to Solr or Kibana, both applications will provide their certificate info and Tomcat will use the trustStore to determine if the certificate is trusted or not.
| Warning |
|---|
For this reason, if you decide to use another keystore or certificate than the one provided, do not forget either to reference the correct keystore as trustStore in the set-datafari-env.sh script, or to add the new certificate to the existing datafari-keystore.jks |
Solr
Activate the SSL protocol for Solr is quite simple. Search for 'SOLR_SSL' in the solr.in.sh file located in '{Datafari_Install_Dir}/solr/bin/' and you should find these lines:
| Code Block |
|---|
SOLR_SSL_KEY_STORE=${DATAFARI_HOME}/ssl-keystore/datafari-keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=DataFariAdmin
SOLR_SSL_TRUST_STORE=${DATAFARI_HOME}/ssl-keystore/datafari-keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=DataFariAdmin
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false |
...
Zookeeper
Zookeeper is configured by default to use the HTTP protocol. To enable the HTTPS protocol you have to run the following command:
| Code Block |
|---|
/opt/datafari/solr/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:2181 -cmd clusterprop -name urlScheme -val https |
You also need to specify the HTTPS protocol in the /opt/datafari/tomcat/conf/datafari.properties file for the SOLRHOSTS property:
| Code Block |
|---|
SOLRHOSTS=https://localhost:2181 |
...
Kibana
The Kibana configuration to activate the SSL protocol is as simple as the Solr one. Search for 'server.ssl' in the 'kibana.yml' file located in '{Datafari_Install_Dir}/elk/kibana/config/':
| Code Block |
|---|
server.ssl.enabled: true
server.ssl.cert: /opt/datafari/ssl-keystore/datafari-cert.pem
server.ssl.key: /opt/datafari/ssl-keystore/datafari-key.pem |
Here the difference is that Kibana only accepts the 'PKCS12/PEM' format for the certificate and its private key. So if you use your own certificate, you will have to generate it and its associated NON ENCRYPTED private key (otherwise you will not be able to import it) in this format, thanks to a tool like openssl.
Now you have a better understanding of the behavior of Datafari concerning the SSL protocol. As said in the beginning of this documentation, Elasticsearch does not provide a simple way to enable the SSL. If you don't want to purchase their 'Shield' extension, the best approach to implement SSL is to create a proxy (apache proxy for example), and redirect every query addressed to ES to force the protocol. You can contact France Labs in case you need help for this.