Installing Certificates for Secure Data Source Connections¶
Overview¶
Alation has its own Java truststore inside the Alation shell. When configuring connection to a data source over SSL, you will need to bring your SSL certificates into the Java truststore on the Alation server.
It is also required to pass the location and password to the Java truststore directly to the Java processes as parameters as there is no user interface for specifying them. The parameters connector.extra_flags, taskserver.extra_flags, and elasticsearch.env.es_java_opts parameters in alation_conf serve this purpose.
You can view the current parameter values from the Alation shell by running these commands:
# to print the current values for connector.extra_flags and taskserver.extra_flags:
alation_conf extra_flags
# to print the current values for elasticsearch.env.es_java_opts
alation_conf elasticsearch.env.es_java_opts
These parameters may be empty or they may already have values that were set previously.
If they are empty, you can set them in the following way:
alation_conf taskserver.extra_flags -s " -Djavax.net.ssl.trustStore=/opt/alation/site/site_data/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit"
Note the space in front of the -D: " -D.
If the flags already have values, make sure to preserve those values and append the new values to the existing ones without overwriting. Append the new values by adding a space then the new value to the string. For example, if your current value is taskserver.extra_flags = -Dsun.security.krb5.debug=true,
add the new value to the end of the string after a space:
alation_conf taskserver.extra_flags -s " -Dsun.security.krb5.debug=true -Djavax.net.ssl.trustStore=/opt/alation/site/site_data/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit"
First Time Setup¶
Enter the Alation shell:
sudo /etc/init.d/alation shell
Copy over the default Java truststore certificates into the Alation custom location and change ownership to alation:
sudo cp /etc/pki/java/cacerts /opt/alation/site/site_data/jssecacerts sudo chown alation:alation /opt/alation/site/site_data/jssecacerts
Configure and deploy the required parameters in Alation. The
alation_confvalues for:taskserver.extra_flags,connector.extra_flags, andelasticsearch.env.es_java_optsmust be set to the string below. Note the space at the beginning of the string:-Djavax.net.ssl.trustStore=/opt/alation/site/site_data/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit
Note
If the
alation_confattributes already have some other values, append new values but do not overwrite the existing ones.To set the values:
alation_conf taskserver.extra_flags -s " -Djavax.net.ssl.trustStore=/opt/alation/site/site_data/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit" alation_conf connector.extra_flags -s " -Djavax.net.ssl.trustStore=/opt/alation/site/site_data/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit" alation_conf elasticsearch.env.es_java_opts -s " -Djavax.net.ssl.trustStore=/opt/alation/site/site_data/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit"
Deploy the configuration:
alation_action deploy_conf_all
Add a new Certificate to the Alation Java Keystore¶
To add a new cert,
Place the SSL certificate into the Alation box from outside of the Alation shell, for example:
scp selfsigned.cer:<hostname>: ssh <hostname> mv selfsigned.cer /<your/path/to/data>/tmp/selfsigned.cer
Enter the Alation shell:
sudo /etc/init.d/alation shell
Import the certificate into the Alation Java truststore. Replace
YOURALIASwith a suitable name for the certificate (companyname_databasename) - alphanumeric only, no special characters. Substituteversionwith the actual version number you find in the java directory.Release 2020.3.x and newer
sudo /opt/java/amazon-corretto-<version>-linux-x64/bin/keytool -import -alias YOURALIAS -file /data1/tmp/selfsigned.cer -keystore /opt/alation/site/site_data/jssecacerts -storepass changeit
Type “yes” and click Enter when it prompts for Trust this certificate?
Restart the Java processes:
alation_supervisor restart java:*