Implementing a Secure Binary Interface
Follow these instructions to start an HEAVY.AI server with an encrypted main port.
Required PKI Components
You need the following PKI (Public Key Infrastructure) components to implement a Secure Binary Interface.
A CRT (short for certificate) file containing the server's PKI certificate. This file must be shared with the clients that connect using encrypted communications. Ideally, this file is signed by a recognized certificate issuing agency.
A key file containing the server's private key. Keep this file secret and secure.
A Java TrustStore containing the server's PKI certificate. The password for the trust store is also required.
Although in this instance the trust store contains only information that can be shared, the Java TrustStore program requires it to be password protected.
A Java KeyStore and password.
In a distributed system, add the configuration parameters to the heavyai.conf file on the aggregator and all leaf nodes in your HeavyDB cluster.
Demonstration Script to Create "Mock/Test" PKI Components
You can use OpenSSL utilities to create the various PKI elements. The server certificate in this instance is self-signing, and should not be used in a production system.
Generate a new private key.
Use the private key to generate a certificate signing request.
Self sign the certificate signing request to create a public certificate.
Use the Java tools to create a key store from the public certificate.
To generate a keystore file from your server key:
Copy server.key to server.txt. Concatenate it with server.crt.
Use server.txt to create a PKCS12 file.
Use server.p12 to create a keystore.
Start the Server in Encrypted Mode with PKI Client Authentication
Start the server using the following options.
Example
Configuring heavyai.conf for Encrypted Connection
Alternatively, you can add the following configuration parameters to heavyai.conf to establish a Secure Binary Interface. The following configuration flags implement the same encryption shown in the runtime example above:
Passwords for the SSL truststore and keystore can be enclosed in single (') or double (") quotes.
Why Use Both server.crt and a Java TrustStore?
The server.crt
file and the Java truststore contain the same public key information in different formats. Both are required by the server to establish both the secure client communication with the various interfaces and with its Calcite server. At startup, the Java truststore is passed to the Calcite server for authentication and to encrypt its traffic with the HEAVY.AI server.
Last updated