Versions Compared

Old Version 20

changes.mady.by.user John McKeever

Saved on

compared with

New Version 21

changes.mady.by.user John McKeever

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Creating a Java key store containing your HTTPS certificate

Before configuring Workbench to use HTTPS a Java Key Store containing the HTTPS certificate must be created. Java key stores can be created and managed using the keytool command included with all installations of Java can be used to create and manage this key store.

Table of Contents

First ensure that you use the keytool command shipped with the Java v1.8 package you downloaded to support MettleCI. You can check your command line’s default keytool using operating-specific commands where keytool

Status
colourBlue
titleWindows
or which keytool
Status
colourYellow
titleUnix
.

Verify that the response indicates that you will be using the keytool in the correct bin directory (e.g. in your OpenJDK installation).

Next, use a command with the following template to create a keystore containing a basic self-signed certificate:

Code Block
languagebash
keytool -genkey -keyalg RSA -alias workbench -keystore <path-to-keystore> -storepass <store-password> -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -dname "CN=<host url>"

Please replace the <placeholders> in this command based on the following descriptions:

Placeholder

Description

Example Value

path to key store

Full qualified path of the key store to be created

/opt/dm/mci/workbench.p12 (Unix)

C:\dm\mci\workbench.p12 (Windows)

store password

Password required when reading or writing to the newly created key store

Choose a random password string.

Note that the key stores supplied with Java have a default password of changeit.

host url

The domain name of the URL that will be used to access Workbench in your browser. This does not include the protocol or port numbers. For example, datamigrators.com

your-engine.yourdomain.com

(no port number)

For example, this command creates a keystore called workbench.p12 in the MettleCI home directory for use with workbench currently accessed at URL http://my-engine.datamigrators.com:8080:

Expand
titleWindows
Code Block
languagebash
keytool -genkey -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12 -storepass changeit -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -dname "CN=my-engine.datamigrators.com"

You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example.

Code Block
keytool -list -v -keystore C:\dm\mci\workbench.p12
Enter keystore password: ********

If you need to export your certificate for signing you can use a command like the following:

Code Block
keytool -certreq -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 -storepass changeit -sigalg SHA256withRSA -file /opt/dm/mci/workbench.csr
Expand
titleUnix
Code Block
languagebash
keytool -genkey -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 -storepass changeit -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -dname "CN=my-engine.datamigrators.com"

Ensure that your keystore has at least 644 (rw-r--r--) privileges.

You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example.

Code Block
languagebash
keytool -list -v -keystore /opt/dm/mci/workbench.p12
Enter keystore password: ********

If you need to export your certificate for signing you can use a command like the following:

Code Block
keytool -certreq -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12 -storepass changeit -sigalg SHA256withRSA -file C:\dm\mci\workbench.csr

Note that with the exception of keytool -list the keytool command will not normally return a value to the console.

Enabling HTTPS support

Once a keystore containing the Workbench HTTPS certificate has been created, update your MettleCI config.yml file to add the following section:

Code Block
languageyaml
server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: <path-to-keystore>
      keyStorePassword: <store-password>
      trustStoreType: PKCS12
      trustStorePath: <path-to-keystore>
      trustStorePassword: <store password>

The <place holders> must match those used while creating the Java keystore. For example:

Expand
titleWindows
Code Block
languageyaml
server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: /opt/dm/mci/workbench.p12
      keyStorePassword: changeit
      trustStoreType: PKCS12
      trustStorePath: /opt/dm/mci/workbench.p12
      trustStorePassword: changeit
Expand
titleUnix
Code Block
languageyaml
server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: C:\dm\mci\workbench.p12
      keyStorePassword: changeit
      trustStoreType: PKCS12
      trustStorePath: C:\dm\mci\workbench.p12
      trustStorePassword: changeit

The ports given above are only examples, and you’re free to use custom port numbers as desired.

Once your changes are saved restart your Workbench service using the Service Manager utility on Windows, or this command on Unix: .

Code Block
languagebash
sudo service dm-mettleci-workbench restart

Verify Workbench is up and running under HTTPS by navigating to https://<host url>:8443 in your browser

Trusting your certificate

You will need your local browser to trust the certificate on your DataStage engine tier. There will be slightly different processes for this depending upon your chosen browser and whether or not you have self-signed the certificate or used a CA.

Typically, when you first connect using HTTPS you will see a certificate error in your browser:

Image Added

Image Added

Click on the warning indicator ('⚠ Not secure' in this example) and select Certificate.

Image Added

This will present a certificate dialog which will allow you to .

Image Added

Click on the Details tab and look at the Thumbprint algorithm and Thumbprint values. These should match the values derived from the keytool -list command you entered when you first genrated your certificate.

Code Block
Certificate fingerprints:
  MD5:  86:6A:96:1E:29:19:45:F9:46:B9:E6:54:DD:D0:1D:6C
  SHA1: 11:A1:75:E2:71:AA:5D:C8:85:8A:BF:65:02:FC:09:2D:C7:41:CA:BC
  SHA256: 5C:3A:87:77:13:17:77:F8:7C:2F:8A:F4:48:0D:B6:61:31:92:91:B6:90:36:0B:4C:5B:BC:30:5F:EC:C1:CA:36

You should then use your browser to install the certificate into the “Trusted Root CA” certificate store. To do this you may need to invoke your browser using elevated privileges by starting it with the Run as Administrator option.

Enabling concurrent HTTP and HTTPS support

Under some circumstances, you may wish to allow Workbench to communicate over both HTTP and HTTPS protocols. This can be achieved by adding the following section to your config.yml:

Code Block
languageyaml
server:
  applicationConnectors:
    - type: http
      port: 8080
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: <path-to-keystore>
      keyStorePassword: <store-password>
      trustStoreType: PKCS12
      trustStorePath: <path-to-keystore>
      trustStorePassword: <store-password>

The <place holders> must match those used while creating the Java keystore. Once your changes are saved restart your Workbench service using the Service Manager utility on Windows, or this command on Unix: .

Code Block
languagebash
sudo service dm-mettleci-workbench restart

Verify Workbench is up and running under HTTP AND HTTPS by navigating to https://<host url>:8443 and http://<host url>:8080 in your browser.