Search…
v6.0.0 (latest)
Overview
Installation and Configuration
Loading and Exporting Data
Heavy Immerse
Data Science
UDF and UDTF
Tutorials and Demos
Troubleshooting and Special Topics
Implementing a Secure Binary Interface
Follow these instructions to start an HEAVY.AI server with an encrypted main port.
Required PKI Components
You need the following PKI (Public Key Infrastructure) components to implement a Secure Binary Interface.
- A CRT (short for certificate) file containing the server's PKI certificate. This file must be shared with the clients that connect using encrypted communications. Ideally, this file is signed by a recognized certificate issuing agency.
- A key file containing the server's private key. Keep this file secret and secure.
- A Java TrustStore containing the server's PKI certificate. The password for the trust store is also required.
Although in this instance the trust store contains only information that can be shared, the Java TrustStore program requires it to be password protected.
- A Java KeyStore and password.
- In a distributed system, add the configuration parameters to the heavyai.conf file on the aggregator and all leaf nodes in your HeavyDB cluster.
Demonstration Script to Create "Mock/Test" PKI Components
You can use OpenSSL utilities to create the various PKI elements. The server certificate in this instance is self-signing, and should not be used in a production system.
- 1.Generate a new private key.1openssl genrsa -out server.key 2048Copied!
- 2.Use the private key to generate a certificate signing request.1openssl req -new -key server.key -out server.csrCopied!
- 3.Self sign the certificate signing request to create a public certificate.1openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtCopied!
- 4.Use the Java tools to create a key store from the public certificate.1keytool -importcert -file server.crt -keystore server.jksCopied!
To generate a keystore file from your server key:
- 1.Copy server.key to server.txt. Concatenate it with server.crt.1cp server.key server.txt2cat server.crt >> server.txtCopied!
- 2.Use server.txt to create a PKCS12 file.1openssl pkcs12 -export -in server.txt -out server.p12Copied!
- 3.Use server.p12 to create a keystore.1keytool -importkeystore -v -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype pkcs12Copied!
Start the Server in Encrypted Mode with PKI Client Authentication
Start the server using the following options.
1
--pki-db-client-auth true
2
--ssl-cert
3
--ssl-private-key
4
--ssl-trust-store
5
--ssl-trust-password
6
--ssl-keystore
7
--ssl-keystore-password
8
--ssl-trust-ca
9
--ssl-trust-ca-server
Copied!
Example
1
sudo start heavyai_server --port 6274 --data /data --pki-db-client-auth true
2
--ssl-cert /tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem
3
--ssl-private-key /tls_certs/self_signed_server.example.com_self_signed/private/self_signed_server.example.com_key.pem
4
--ssl-trust-store /tls_certs/self_signed_server.example.com_self_signed/trust_store_self_signed_server.example.com.jks
5
--ssl-trust-password truststore_password
6
--sslkeystore /tls_certs/self_signed_server.example.com_self_signed/key_store_self_signed_server.example.com.jks
7
--ssl-keystore-password keystore_password
8
--ssl-trust-ca = "/tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem"
9
--ssl-trust-ca-server /tls_certs/ca_primary/ca_primary_cert.pem
Copied!
Configuring heavyai.conf for Encrypted Connection
Alternatively, you can add the following configuration parameters to heavyai.conf to establish a Secure Binary Interface. The following configuration flags implement the same encryption shown in the runtime example above:
1
# Start pki authentication
2
pki-db-client-auth = true
3
ssl-cert = "/tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem"
4
ssl-private-key = "/tls_certs/self_signed_server.example.com_self_signed/private/self_signed_server.example.com_key.pem"
5
ssl-trust-store = "/tls_certs/self_signed_server.example.com_self_signed/trust_store_self_signed_server.example.com.jks"
6
ssl-trust-password = "truststore_password"
7
ssl-keystore = "/tls_certs/self_signed_server.example.com_self_signed/key_store_self_signed_server.example.com.jks"
8
ssl-keystore-password = "keystore_password"
9
ssl-trust-ca = "/tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem"
10
ssl-trust-ca-server = "/tls_certs/ca_primary/ca_primary_cert.pem"
Copied!
Passwords for the SSL truststore and keystore can be enclosed in single (') or double (") quotes.
Why Use Both server.crt and a Java TrustStore?
The
server.crt file and the Java truststore contain the same public key information in different formats. Both are required by the server to establish both the secure client communication with the various interfaces and with its Calcite server. At startup, the Java truststore is passed to the Calcite server for authentication and to encrypt its traffic with the HEAVY.AI server.Last modified 2mo ago