Configuring SSL for OJAI Clients

Describes certificates and how to configure SSL for OJAI clients, including which PEM file to point to and how to determine which DAG host name to use.

The process of installing Data Fabric with security enabled automatically generates default ssl_keystore and ssl_truststore files on the first CLDB server used by all clients and servers. Data Access Gateway (DAG) and other cluster services use these certificates to perform authentication and encryption for websites that use the HTTPS protocol.

The certificates are generated in the /opt/mapr/conf directory under ssl_truststore.* and ssl_keystore.*. The ssl_truststore.* files contain the client side certificates (signer for the certificate in the ssl_keystore). The ssl_keystore.* files contain the server side certificates (a single self-signed certificate with a wildcard SubjectDN).

When you configure a client to connect to a cluster, you create a connection string. If the connection is SSL enabled, you must include the path to the certificate of trust. You can either configure the client to use the default certificates or you can point to custom certificates. However, if the certificate on the server side is signed using a real certificate signing authority, you do not need to include an ssl_truststore in the connection string because the default ssl_truststore will recognize the signed certificate.

For additional information, see SSL Certificates.

Using the Default Certificates Generated by Data Fabric

For an application running on a cluster node, provide the path to the PEM file, as shown in the following example:
sslCA=/opt/mapr/conf/ssl_truststore.pem
For an application that is not running on a cluster node, copy the ssl_truststore.pem file from /opt/mapr/conf/ to a location on the non-cluster node and then specify the path to the ssl_truststore.pem file:
sslCA=/path/to/certificate/ssl_truststore.pem

Using Custom Certificates

If an administrator created custom certificates for the cluster (as described in SSL Certificates), the certificates must have an equivalent truststore in PEM format. Create a PEM version of the truststore file and use that PEM file with the clients. For example, sslCA=/path/to/custom/certificates/ssl_truststore.pem.

For additional information, see Importing a Certificate Authority Signed (CA Signed) SSL Certificate Into a Cluster.

Determining which DAG Host Name to Use

Open the ssl_truststore.pem file and locate the certificate with Subject = C. The certificate with Subject = C also has a CN host name. Use this CN host name.

If you see a wildcard character (*) instead of a file name, you can use any host that is running DAG and suffix it with .ec2.internal, as shown:
*.ec2.internal