| Table of Contents |
|---|
Creating a Java KeyStore and SSL certificate
MettleCI Workbench can be configured to expose ports over HTTP, HTTPS, or both simultaneously at separate ports. Before configuring Workbench to use HTTPS, a Java KeyStore containing the HTTPS certificate must be created first. Java KeyStores can be created and managed using the keytool command included with all installations of Java.
...
Note that with the exception of keytool -list the keytool command will not normally return a value to the console to indicate it has executed successfully
Regenerating keys
If you want to regenerate your keystore certificate for any reason (i.e. it has expired) you can use the following command:
| Code Block |
|---|
# Delete it $> keytool -delete -noprompt -alias workbench -keystore workbench.p12 -storepass changeit # Verify it has been deleted $> keytool -list -v -keystore /opt/dm/mci/workbench.p12 -storetype PKCS12 -storepass changeit Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 0 entries $> |
...
Enabling HTTPS support in the MettleCI Workbench config.yml
Once a keystore containing the Workbench HTTPS certificate has been created, update your MettleCI config.yml file to add the following section:
...
Verify Workbench is up and running under HTTP and/or HTTPS by navigating to https://<host url>:8443 and/or http://<host url>:8080 (as appropriate) in your browser.Note that there is another type of connection called “Admin”. If you have configured this connection it allows you to gather metrics and get status information about the health of your server. Provisioning it is exactly analogous to the Application connector.
As an example, here is the server section of a Unix config.yml that has configured adminConnectors to allow both http and https connections (this is a customer example, and also shows use of a customer supplied ssh certificate rather than a self signed one)
| Code Block |
|---|
server:
applicationConnectors:
- type: http
port: 8080
- type: https
port: 8443
keyStoreType: "PKCS12"
keyStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
keyStorePassword: "bigSecret"
trustStoreType: "PKCS12"
trustStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
trustStorePassword: "bigSecret"
adminConnectors:
- type: http
port: 8083
- type: https
port: 8444
keyStoreType: "PKCS12"
keyStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
keyStorePassword: "bigSecret"
trustStoreType: "PKCS12"
trustStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
trustStorePassword: "bigSecret"
<rest of config.yml omitted> |
Note that the same ssh certificate is used for both connectors in this example. It can be different but that may not be worth the extra effort. Note also that http has been left enabled, you may want to remove that based on your organization’s security preferences.
Note also that, like with the applicationConnector, you can use any ports (but they must be different than the other connector, and must be available on your system, not already in use)
When you have it set up right, going to https://your.server.name.com:8444/ will give you a small menu that looks like this:
...
It is recommended that you get the application connector working correctly over https before you also enable the admin connector or before you turn off http access.
Trusting your certificate
You will need your local browser to trust the certificate on your DataStage engine tier. There will be slightly different processes for this depending upon your chosen browser and whether or not you have self-signed the certificate or used a CA.
Inspecting your certificate
Typically, when you first connect to Workbench using HTTPS you will see a certificate error in your browser. This may look like this…
...
Once you’re happy that the thumbprint matches you can proceed to installing your certificate.
Installing your certificate
If Install Certificate is enabled then click it to install the certificate into the Trust Root Certification Authorities store
...