| Table of Contents |
|---|
Creating a Java KeyStore and SSL certificate
MettleCI Workbench can be configured to expose ports over HTTP, HTTPS, or both simultaneously at separate ports. Before configuring Workbench to use HTTPS a Java KeyStore containing the HTTPS certificate must be created. Java KeyStores can be created and managed using the keytool command included with all installations of Java.
...
First ensure that you use the keytool command shipped with the Java v1.8 package you downloaded to support MettleCI. You can check your command line’s default keytool using operating-specific commands where keytool
| Status | ||||
|---|---|---|---|---|
|
which keytool | Status | ||||
|---|---|---|---|---|
|
Next, use a command with the following template to create a keystore containing a basic self-signed certificate:
| Code Block | ||
|---|---|---|
| ||
keytool -genkey -keyalg RSA -alias workbench -keystore <path-to-keystore>
-storepass <store-password> -storetype PKCS12 -keysize 2048
-sigalg SHA256withRSA -dname "CN=<host url>"
-ext san=dns:engine.yourdomain.com |
Please replace the <placeholder-values> in this command based on the following descriptions:
Placeholder | Description | Example Value |
|---|---|---|
path-to-keystore | Full qualified path of the key store to be created |
|
store-password | Password required when reading or writing to the newly created key store | Choose a random password string. Note that the key stores supplied with Java have a default password of |
host-url | The domain name of the URL that will be used to access Workbench in your browser. This does not include the protocol or port numbers. For example, |
(no port number) |
For example, this command creates a keystore called workbench.p12 in the MettleCI home directory for use with workbench currently accessed at URL http://my-engine.datamigrators.com:8080:
| Expand | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| |||||||||
You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example.
If you need to export your certificate for signing you can use a command like the following:
|
| Expand | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Ensure that your keystore has at least 644 ( Ensure that your keystore is owned by You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example above.
If you need to export your certificate for signing you can use a command like the following:
|
Note that with the exception of keytool -list the keytool command will not normally return a value to the console.
...
Enabling HTTPS support
Once a keystore containing the Workbench HTTPS certificate has been created, update your MettleCI config.yml file to add the following section:
| Code Block | ||
|---|---|---|
| ||
server:
applicationConnectors:
- type: https
port: 8443
keyStoreType: PKCS12
keyStorePath: <path-to-keystore>
keyStorePassword: <store-password>
trustStoreType: PKCS12
trustStorePath: <path-to-keystore>
trustStorePassword: <store password> |
The <placeholder-values> must match those used while creating the Java keystore. For example:
| Expand | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
If you wish to allow Workbench to communicate over both HTTP and HTTPS protocols then you configure your
|
| Expand | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
If you wish to allow Workbench to communicate over both HTTP and HTTPS protocols then you configure your
|
The ports given above are only examples, and you’re free to use custom port numbers as desired.
Once your changes are saved restart your Workbench service using the Services utility
| Status | ||||
|---|---|---|---|---|
|
| Status | ||
|---|---|---|
|
| Code Block | ||
|---|---|---|
| ||
sudo service dm-mettleci-workbench stop
sudo service dm-mettleci-workbench start |
Verify Workbench is up and running under HTTP and/or HTTPS by navigating to https://<host url>:8443 and/or http://<host url>:8080 (as appropriate) in your browser.
...
Trusting your certificate
You will need your local browser to trust the certificate on your DataStage engine tier. There will be slightly different processes for this depending upon your chosen browser and whether or not you have self-signed the certificate or used a CA.
Typically, when you first connect to Workbench using HTTPS you will see a certificate error in your browser.
This may look like this…
...
or this…
...
Click on the warning indicator ('Not secure' or ‘iCertificate error’ in these examples) and select Certificate (not valid).
...
This will present a certificate dialog which may or may not allow you to install the certificate.
...
Before installing your certificate
Before you install your certificate click on the Details tab and look at the Thumbprint algorithm and Thumbprint values.
...
The Thumbprint value should match the appropriate value displayed by the keytool -list command you entered when you first generated your certificate keystore.
| Code Block |
|---|
Certificate fingerprints:
MD5: 86:6A:96:1E:29:19:45:F9:46:B9:E6:54:DD:D0:1D:6C
SHA1: 11:A1:75:E2:71:AA:5D:C8:85:8A:BF:65:02:FC:09:2D:C7:41:CA:BC
SHA256: 5C:3A:87:77:13:17:77:F8:7C:2F:8A:F4:48:0D:B6:61:31:92:91:B6:90:36:0B:4C:5B:BC:30:5F:EC:C1:CA:36 |
If the ‘Install Certificate…’ option is available
If your Certificate You should then use your browser to install the certificate into the “Trusted Root CA” certificate store. To do this you may need to invoke your browser using elevated privileges by starting it with the Run as Administrator option.