First ensure that you use the keytool command shipped with the Java v1.8 package you downloaded to support MettleCI. You can check your command line’s default keytool using operating-specific commands:
Verify that the response indicates that you will be using the keytool in the correct bin directory (e.g. in your OpenJDK installation).
Next, use a command with the following template to create a keystore containing a basic self-signed certificate:
| Code Block |
|---|
|
keytool -genkey -keyalg RSA -alias workbench -keystore <path-to-keystore> -storepass <store-password> -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -dname "CN=<host url>" |
Please replace the <placeholders> in this command based on the following descriptions:
Placeholder | Description | Example Value |
|---|
path to key store | Full qualified path of the key store to be created | /opt/dm/mci/workbench.p12 (Unix)
C:\dm\mci\workbench.p12 (Windows)
|
store password | Password required when reading or writing to the newly created key store | Choose a random password string. Note that the key stores supplied with Java have a default password of changeit. |
host url | The domain name of the URL that will be used to access Workbench in your browser. This does not include the protocol or port numbers. For example, datamigrators.com | your-engine.yourdomain.com
(no port number) |
For example, this command creates a keystore called workbench.p12 in the MettleCI home directory for use with workbench currently accessed at URL http://my-engine.datamigrators.com:8080:
| Expand |
|---|
|
| Code Block |
|---|
| keytool -genkey -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12 -storepass changeit -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -dname "CN=my-engine.datamigrators.com" |
If you need to export your certificate for signing you can use a command like the following: | Code Block |
|---|
keytool -certreq -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 -storepass changeit -sigalg SHA256withRSA -file /opt/dm/mci/workbench.csr |
|
| Expand |
|---|
|
| Code Block |
|---|
| keytool -genkey -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 -storepass changeit -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -dname "CN=my-engine.datamigrators.com" |
Ensure that your keystore has at least 644 (rw-r--r--) privileges. If you need to export your certificate for signing you can use a command like the following: | Code Block |
|---|
keytool -certreq -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12 -storepass changeit -sigalg SHA256withRSA -file C:\dm\mci\workbench.csr |
|
Note that the keytool will not normally return a value to the console.
Enabling HTTPS support
Once a keystore containing the Workbench HTTPS certificate has been created, update your MettleCI config.yml file to add the following section:
| Code Block |
|---|
|
server:
applicationConnectors:
- type: https
port: 8443
keyStoreType: PKCS12
keyStorePath: <path-to-keystore>
keyStorePassword: <store-password>
trustStoreType: PKCS12
trustStorePath: <path-to-keystore>
trustStorePassword: <store password> |
The <place holders> must match those used while creating the Java keytool. For example:
| Expand |
|---|
|
| Code Block |
|---|
| server:
applicationConnectors:
- type: https
port: 8443
keyStoreType: PKCS12
keyStorePath: /opt/dm/mci/workbench.p12
keyStorePassword: changeit
trustStoreType: PKCS12
trustStorePath: /opt/dm/mci/workbench.p12
trustStorePassword: changeit |
|
| Expand |
|---|
|
| Code Block |
|---|
| server:
applicationConnectors:
- type: https
port: 8443
keyStoreType: PKCS12
keyStorePath: C:\dm\mci\workbench.p12
keyStorePassword: changeit
trustStoreType: PKCS12
trustStorePath: C:\dm\mci\workbench.p12
trustStorePassword: changeit |
|
Once your changes are saved restart your Workbench service using the Service Manager utility on Windows, or this command on Unix: .
| Code Block |
|---|
|
sudo service dm-mettleci-workbench restart |
Verify Workbench is up and running under HTTPS by navigating to https://<host url>:8443 in your browser
Enabling concurrent HTTP and HTTPS support
Under some circumstances, you may wish to allow Workbench to communicate over both HTTP and HTTPS protocols. This can be achieved by adding the following section to your config.yml:
| Code Block |
|---|
|
server:
applicationConnectors:
- type: http
port: 8080
- type: https
port: 8443
keyStoreType: PKCS12
keyStorePath: <path-to-keystore>
keyStorePassword: <store-password>
trustStoreType: PKCS12
trustStorePath: <path-to-keystore>
trustStorePassword: <store-password> |
The <place holders> must match those used while creating the Java keytoolkeystore. The ports given above are only examples, and you’re free to use custom port numbers as desired. Once your changes are saved restart your Workbench service using the Service Manager utility on Windows, or this command on Unix: .
| Code Block |
|---|
|
sudo service dm-mettleci-workbench restart |
Verify Workbench is up and running under HTTP AND HTTPS by navigating to https://<host url>:8443 and http://<host url>:8080 in your browser.
