Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 45 Next »

Creating a Java KeyStore and SSL certificate

MettleCI Workbench can be configured to expose ports over HTTP, HTTPS, or both simultaneously at separate ports. Before configuring Workbench to use HTTPS a Java KeyStore containing the HTTPS certificate must be created. Java KeyStores can be created and managed using the keytool command included with all installations of Java.

First ensure that you use the keytool command shipped with the Java v1.8 package you downloaded to support MettleCI. You can check your command line’s default keytool using operating-specific commands where keytool WINDOWS or which keytool UNIX. Verify that the response indicates that you will be using the keytool in the correct bin directory (e.g. in your OpenJDK installation).

Next, use a command with the following template to create a keystore containing a basic self-signed certificate:

keytool -genkey -keyalg RSA -alias workbench -keystore <path-to-keystore> 
        -storepass <store-password> -storetype PKCS12 -keysize 2048 
        -sigalg SHA256withRSA -dname "CN=<host url>"
        -ext san=dns:engine.yourdomain.com
        -validity <days-valid>

Please replace the <placeholder-values> in this command based on the following descriptions:

Placeholder

Description

Example Value

path-to-keystore

Full qualified path of the key store to be created

/opt/dm/mci/workbench.p12 (Unix)

C:\dm\mci\workbench.p12 (Windows)

store-password

Password required when reading or writing to the newly created key store

Choose a random password string.

Note that the key stores supplied with Java have a default password of changeit.

host-url

The domain name of the URL that will be used to access Workbench in your browser. This does not include the protocol or port numbers. For example, dev-engine.datamigrators.com

your-engine.yourdomain.com

(no port number)

days-valid

The number of days for which the key should remain valid

Note that the key stores supplied with Java have a default validity of 180 days.

For example, this command creates a keystore called workbench.p12 in the MettleCI home directory for use with workbench currently accessed at URL http://my-engine.datamigrators.com:8080:

 Windows

This example generates a key with a 365-day validity.

C:\> keytool -genkey -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12
-storepass changeit -storetype PKCS12 -keysize 2048
-sigalg SHA256withRSA -dname "CN=engine.datamigrators.com"
-ext san=dns:engine.datamigrators.com
-validity 365

Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
  [Unknown]:  Peter Parker
What is the name of your organizational unit?
  [Unknown]:  MettleCI
What is the name of your organization?
  [Unknown]:  Data Migrators
What is the name of your City or Locality?
  [Unknown]:  Melbourne
What is the name of your State or Province?
  [Unknown]:  Victoria
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=Peter Parker, OU=MettleCI, O=Data Migrators, L=Melbourne, ST=Victoria, C=AU correct?
  [no]:  yes

Enter key password for <workbench>
        (RETURN if same as keystore password):

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore C:dmmciworkbench.p12 -destkeystore C:dmmciworkbench.p12 -deststoretype pkcs12".
C:\>

Note that in the example above you must ensure that both instances of engine.datamigrators.com is replaced with the domain name of your DataStage engine, which you can get from the Workbench URL (e.g. mydsengine.acmesandwichmakers.com).

You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example.

keytool -list -v -keystore C:\dm\mci\workbench.p12 -storetype PKCS12
Enter keystore password: ********

If you need to export your certificate for signing you can use a command like the following:

keytool -certreq -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12
-storepass changeit -sigalg SHA256withRSA -file C:\dm\mci\workbench.csr
 Unix

This example generates a key with a 365-day validity.

$> keytool -genkey -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 \
-storepass changeit -storetype PKCS12 -keysize 2048 \
-sigalg SHA256withRSA -dname "CN=engine.datamigrators.com" \
-ext san=dns:engine.datamigrators.com \
-validity 365

Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
  [Unknown]:  Peter Parker
What is the name of your organizational unit?
  [Unknown]:  MettleCI
What is the name of your organization?
  [Unknown]:  Data Migrators
What is the name of your City or Locality?
  [Unknown]:  Melbourne
What is the name of your State or Province?
  [Unknown]:  Victoria
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=Peter Parker, OU=MettleCI, O=Data Migrators, L=Melbourne, ST=Victoria, C=AU correct?
  [no]:  yes

Enter key password for <workbench>
        (RETURN if same as keystore password):

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore C:dmmciworkbench.p12 -destkeystore C:dmmciworkbench.p12 -deststoretype pkcs12".
$>

Note that in the example above you must ensure that both instances of engine.datamigrators.com is replaced with the domain name of your DataStage engine, which you can get from the Workbench URL (e.g. mydsengine.acmesandwichmakers.com).

Ensure that your keystore has at least 644 (rw-r--r--) privileges.

Ensure that your keystore is owned by mciworkb:dstage.

You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example above.

keytool -list -v -keystore /opt/dm/mci/workbench.p12 -storetype PKCS12
Enter keystore password: ********

If you need to export your certificate for signing you can use a command like the following:

keytool -certreq -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 -storepass changeit \
-sigalg SHA256withRSA -file /opt/dm/mci/workbench.csr

Note that with the exception of keytool -list the keytool command will not normally return a value to the console.

Regenerating keys

If you want to regenerate your keystore certificate for any reason (i.e. it has expired) you can use the following command: 

# Delete it
$> keytool -delete -noprompt -alias workbench  -keystore workbench.p12  -storepass changeit

# Verify it has been deleted 
$>  keytool -list -v -keystore  /opt/dm/mci/workbench.p12  -storetype PKCS12  -storepass changeit
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries
$>

Enabling HTTPS support in the MettleCI Workbench config.yml

Once a keystore containing the Workbench HTTPS certificate has been created, update your MettleCI config.yml file to add the following section: 

server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: <path-to-keystore>
      keyStorePassword: <store-password>
      trustStoreType: PKCS12
      trustStorePath: <path-to-keystore>
      trustStorePassword: <store password>

The <placeholder-values> must match those used while creating the Java keystore. For example:

 Windows
server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: C:\dm\mci\workbench.p12
      keyStorePassword: changeit
      trustStoreType: PKCS12
      trustStorePath: C:\dm\mci\workbench.p12
      trustStorePassword: changeit

If you wish to allow Workbench to communicate over both HTTP and HTTPS protocols then you configure your config.yml like this:

server:
  applicationConnectors:
    - type: http
      port: 8080
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: C:\dm\mci\workbench.p12
      keyStorePassword: changeit
      trustStoreType: PKCS12
      trustStorePath: C:\dm\mci\workbench.p12
      trustStorePassword: changeit
 Unix
server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: /opt/dm/mci/workbench.p12
      keyStorePassword: changeit
      trustStoreType: PKCS12
      trustStorePath: /opt/dm/mci/workbench.p12
      trustStorePassword: changeit

If you wish to allow Workbench to communicate over both HTTP and HTTPS protocols then you configure your config.yml like this:

server:
  applicationConnectors:
    - type: http
      port: 8080
    - type: https
      port: 8443
      keyStoreType: PKCS12
      keyStorePath: /opt/dm/mci/workbench.p12
      keyStorePassword: changeit
      trustStoreType: PKCS12
      trustStorePath: /opt/dm/mci/workbench.p12
      trustStorePassword: changeit

The ports given above are only examples, and you’re free to use custom port numbers as desired.

Once your changes are saved restart your Workbench service using the Services utility WINDOWS or the commands below for UNIX.

sudo service dm-mettleci-workbench stop
sudo service dm-mettleci-workbench start

Verify Workbench is up and running under HTTP and/or HTTPS by navigating to https://<host url>:8443 and/or http://<host url>:8080 (as appropriate) in your browser.

Trusting your certificate

You will need your local browser to trust the certificate on your DataStage engine tier. There will be slightly different processes for this depending upon your chosen browser and whether or not you have self-signed the certificate or used a CA.

Inspecting your certificate

Typically, when you first connect to Workbench using HTTPS you will see a certificate error in your browser. This may look like this…

or this…

Click on the warning indicator ('Not secure' or ‘Certificate error’ in these examples) and select Certificate (not valid).

This will present a certificate dialog which may or may not allow you to install the certificate.

Before you install your certificate click on the Details tab and look at the Thumbprint algorithm and Thumbprint values.

The Thumbprint value should match the appropriate value displayed by the keytool -list command you entered when you first generated your certificate keystore.

Certificate fingerprints:
  MD5:  86:6A:96:1E:29:19:45:F9:46:B9:E6:54:DD:D0:1D:6C
  SHA1: 11:A1:75:E2:71:AA:5D:C8:85:8A:BF:65:02:FC:09:2D:C7:41:CA:BC
  SHA256: 5C:3A:87:77:13:17:77:F8:7C:2F:8A:F4:48:0D:B6:61:31:92:91:B6:90:36:0B:4C:5B:BC:30:5F:EC:C1:CA:36

Once you’re happy that the thumbprint matches you can proceed to installing your certificate.

Installing your certificate

If Install Certificate is enabled then click it to install the certificate into the Trust Root Certification Authorities store

If Install Certificate is not enabled then select the Details tab in the Certificate dialog then click Copy to File.

  1. Start the Certificate Export Wizard by clicking Next, accept the default settings, enter a meaningful certificate name to export it to your local system, and click Finish. Now the certificate has been successfully exported to a file.

  2. In the Certificate Export Wizard success message, click Finish.

  3. In the Certificate dialog, click OK.

You can now follow your operating system’s process for importing the certificate file into the Trust Root Certification Authorities store.

Ensure you restart your browser after installing your certificate!

  • No labels

© 2015-2024 Data Migrators Pty Ltd.