Skip to content

Myria REST server SSL support

Daniel Halperin edited this page Mar 2, 2015 · 3 revisions

Myria supports SSL for the REST server. The configuration is done via the sqlite3 master catalog.

  1. Create a Java keystore that contains the SSL public and private keys. I followed the instructions here: http://stackoverflow.com/a/17710626/1715495

    More detailed list of commands that I ran, and what they did:

  2. (Maybe optional) UW uses InCommon certificates. Many clients want to see the entire certificate chain, which necessitates combining the InCommon certificate itself with ours. First, I pulled the InCommon CA cert out of my local Keychain. in Keychain.app: login > certificate, grab InCommon CA > export items > InCommon.pem

1a: I used Qualsys SSL Labs to verify that I had done this correctly. It took me a long time. https://www.ssllabs.com/ssltest/analyze.html?d=demo.myria.cs.washington.edu&latest

  1. Combine the InCommon cert with the host cert, for both the MyriaX REST server and the Google AppEngine demo server: cat InCommon\ Server\ CA.pem /Volumes/myria/rest.myria.cs.washington.edu.crt > both_rest_certs.pem cat InCommon\ Server\ CA.pem /Volumes/myria/demo.myria.cs.washington.edu.crt > both_demo_certs.pem -- for google app engine

  2. Use OpenSSL to put all the certs together into a keystore, including both public and private. Use a new, random password for this. openssl pkcs12 -export -name rest.myria.cs.washington.edu -in both_rest_certs.pem -inkey /Volumes/myria/rest.myria.cs.washington.edu.key -out keystore.p12

  3. Use the Java keytool to create a Java keystore. GIVE THE JAVA KEYSTORE THE SAME PASSWORD AS IN THE PREVIOUS STEP. keytool -importkeystore -destkeystore rest.myria.cs.washington.edu.jks -srckeystore keystore.p12 -srcstoretype pkcs12

  4. Move the Java keystore to the myria-production-files directory, add the password to the master catalog according to below


IT IS IMPORTANT THAT YOU USE THE SAME PASSWORD IN STEPS 3 AND 4

OTHERWISE YOU WILL GET SSL VALIDATION FAILURES



2. Set the [right values](https://github.com/uwescience/myria/blob/56de54ce9993bde0289fa2dee08ba9319ff15799/src/edu/washington/escience/myria/api/MyriaApiConstants.java#L21) in the master configuration:

    ```sql
insert into configuration(key,value) VALUES ('myria.master_api_server.ssl.keystore_path', 'rest.myria.cs.washington.edu.jks');
insert into configuration(key,value) VALUES ('myria.master_api_server.ssl.keystore_password', 'KEYSTORE_PASSWORD_GOES_HERE');
  1. Make sure you put the keystore at the right path.

Whenever the configuration values in step 2 are set, Myria will enable SSL.

Clone this wiki locally