-
Notifications
You must be signed in to change notification settings - Fork 46
Myria REST server SSL support
Myria supports SSL for the REST server. The configuration is done via the sqlite3 master catalog.
-
Create a Java keystore that contains the SSL public and private keys. I followed the instructions here: http://stackoverflow.com/a/17710626/1715495
More detailed list of commands that I ran, and what they did:
-
(Maybe optional) UW uses InCommon certificates. Many clients want to see the entire certificate chain, which necessitates combining the InCommon certificate itself with ours. First, I pulled the InCommon CA cert out of my local Keychain. in
Keychain.app
: login > certificate, grab InCommon CA > export items > InCommon.pem
1a: I used Qualsys SSL Labs to verify that I had done this correctly. It took me a long time. https://www.ssllabs.com/ssltest/analyze.html?d=demo.myria.cs.washington.edu&latest
-
Combine the InCommon cert with the host cert, for both the MyriaX
REST
server and the Google AppEnginedemo
server: cat InCommon\ Server\ CA.pem /Volumes/myria/rest.myria.cs.washington.edu.crt > both_rest_certs.pem cat InCommon\ Server\ CA.pem /Volumes/myria/demo.myria.cs.washington.edu.crt > both_demo_certs.pem -- for google app engine -
Use OpenSSL to put all the certs together into a keystore, including both public and private. Use a new, random password for this. openssl pkcs12 -export -name rest.myria.cs.washington.edu -in both_rest_certs.pem -inkey /Volumes/myria/rest.myria.cs.washington.edu.key -out keystore.p12
-
Use the Java keytool to create a Java keystore. GIVE THE JAVA KEYSTORE THE SAME PASSWORD AS IN THE PREVIOUS STEP. keytool -importkeystore -destkeystore rest.myria.cs.washington.edu.jks -srckeystore keystore.p12 -srcstoretype pkcs12
-
Move the Java keystore to the
myria-production-files
directory, add the password to the master catalog according to below
IT IS IMPORTANT THAT YOU USE THE SAME PASSWORD IN STEPS 3 AND 4
OTHERWISE YOU WILL GET SSL VALIDATION FAILURES
2. Set the [right values](https://github.com/uwescience/myria/blob/56de54ce9993bde0289fa2dee08ba9319ff15799/src/edu/washington/escience/myria/api/MyriaApiConstants.java#L21) in the master configuration:
```sql
insert into configuration(key,value) VALUES ('myria.master_api_server.ssl.keystore_path', 'rest.myria.cs.washington.edu.jks');
insert into configuration(key,value) VALUES ('myria.master_api_server.ssl.keystore_password', 'KEYSTORE_PASSWORD_GOES_HERE');
- Make sure you put the keystore at the right path.
Whenever the configuration values in step 2 are set, Myria will enable SSL.