Product Documentation

Appearance

7.3.2
7.2.3
7.1.2
7.0.2
6.9.3
5.4.17
5.2.32

Creating a Java Keystore

To enable TLS support, security information for the ybrelay service must be passed to the server via a Java keystore file, which typically contains:

  • The private key for the server to secure identity
  • The public certificate reflecting the identity of the server
  • The public certificate to confirm the acceptable identity of all data warehouse systems it will be relaying to

You can create a keystore with a self-signed private key and certificate by running a keytool -genkeypair command:

$ keytool -genkeypair -noprompt -trustcacerts \
-keyalg RSA \
-alias <ENTRY_ALIAS> \
-keystore <OUTPUT_FILE> \
-storepass <STORE_PASSWORD> \ 
-dname CN=<HOSTNAME> \
-storetype jks
ENTRY_ALIAS
Arbitrary alias that refers to the keypair in the trust store.
OUTPUT_FILE
File name for the keystore.
STORE_PASSWORD
Password used to encrypt the keystore.
HOSTNAME
For public key infrastructure (PKI) trust, the host name specified must exactly match the host name of the ybrelay server to which the clients will be connecting.

You can add a certificate to an existing keystore. For example, you can add a data warehouse public certificate or CA certificate for trust authority by using the keytool -importcert command:

$ keytool -importcert -file <CERTIFICATE> -keystore <KEYSTORE_FILE> -v
CERTIFICATE
PEM-encoded certificate file.
KEYSTORE_FILE
File path of the existing Java keystore.

If you need to retrieve the certificate for an existing system, you can run the following openssl command:

openssl s_client -showcerts -servername yb100.nyc.yellowbrick.io -connect yb100.nyc.yellowbrick.io:443 </dev/null

The certificate will be encoded between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

Note: The host name of the certificate, which is typically listed as the common name (CN) portion of the certificate, must exactly match the host name being used by the application client connecting to ybrelay, or the ybrelay service connecting to the data warehouse.

Separate Keystores for the ybrelay Service and the Spark Clients

As a best practice, Yellowbrick recommends that you create two separate keystores: a ybrelay service keystore and a client keystore, as directed in the following procedure. The service keystore that contains the private key for the ybrelay service (which should be secured and not circulated among the clients) will belong to the ybrelay service host only. The client keystore, which will be distributed across many Spark hosts, will contain only public key material.

  1. Use the keytool command to create a ybrelay service keystore, such as service.jks.
  2. Export the service's public certificate from the service keystore:
keytool -export -keystore service.jks -alias service -file service.crt
  1. Create a new client keystore by importing the service public certificate:
keytool -import -alias service -file service.crt -keystore client.jks
  1. Import the data warehouse public certificate into the client keystore:
keytool -import -alias cluster -file cluster.crt -keystore client.jks

The result of this procedure is two keystores:

  • service.jks, which includes:
  • The public certificate for the ybrelay service
  • The private key for the ybrelay service
  • The public certificate for the Yellowbrick cluster
  • client.jks, which includes:
  • The public certificate for the ybrelay service
  • The public certificate for the Yellowbrick cluster

Parent topic:Setting Up the ybrelay Service