Configuring SSL for OJAI Clients
Describes certificates and how to configure SSL for OJAI clients, including which PEM file to point to and how to determine which DAG host name to use.
The process of installing Data Fabric with security enabled automatically generates default
ssl_keystore
and ssl_truststore
files on the first CLDB
server used by all clients and servers. Data Access Gateway (DAG) and other cluster services
use these certificates to perform authentication and encryption for websites that use the
HTTPS protocol.
The certificates are generated in the /opt/mapr/conf
directory under
ssl_truststore.*
and ssl_keystore.*
. The
ssl_truststore.*
files contain the client side certificates (signer for the
certificate in the ssl_keystore)
. The ssl_keystore.*
files
contain the server side certificates (a single self-signed certificate with a wildcard
SubjectDN).
When you configure a client to connect to a cluster, you create a connection string. If the
connection is SSL enabled, you must include the path to the certificate of trust. You can
either configure the client to use the default certificates or you can point to custom
certificates. However, if the certificate on the server side is signed using a real
certificate signing authority, you do not need to include an ssl_truststore
in the connection string because the default ssl_truststore
will recognize
the signed certificate.
For additional information, see SSL Certificates.
Using the Default Certificates Generated by Data Fabric
sslCA=/opt/mapr/conf/ssl_truststore.pem
ssl_truststore.pem
file from /opt/mapr/conf/
to a
location on the non-cluster node and then specify the path to the
ssl_truststore.pem
file:sslCA=/path/to/certificate/ssl_truststore.pem
Using Custom Certificates
If an administrator created custom certificates for the cluster (as described in SSL Certificates), the certificates must have an equivalent
truststore in PEM format. Create a PEM version of the truststore file and use that PEM file
with the clients. For example,
sslCA=/path/to/custom/certificates/ssl_truststore.pem
.
For additional information, see Importing a Certificate Authority Signed (CA Signed) SSL Certificate Into a Cluster.
Determining which DAG Host Name to Use
Open the ssl_truststore.pem
file and locate the certificate with
Subject = C
. The certificate with Subject = C
also has a
CN host name. Use this CN host name.
.ec2.internal
, as
shown:*.ec2.internal