Importing self-signed certificates from a Presto (Java) server to a Java truststore

Client applications such as IDEs and utilities such as Presto (Java) CLI must trust the Presto engine if it is configured to use a self-signed certificate. The software installations use self-signed certificates as default setting. The following procedure gives instructions to import a self-signed certificate into a truststore for use by Presto (Java) CLI or other client utilities.

These instructions apply when the clients need to connect to Presto (Java) engines in watsonx.data™ on IBM Software Hub and watsonx.data Developer Edition.

These instructions do not apply when you connect to the local Presto (Java) engine in the watsonx.data Developer edition with bin/presto-cli utility. The bin/presto-cli utility has a truststore that is configured by default.

About this task

To import the certificate into your truststore, complete the following steps:

Procedure

  1. On a client workstation from where you intend to connect to the Presto (Java) server, get the certificate served by the Presto (Java) server. 
    echo QUIT | openssl s_client -showcerts -connect <presto-engine-host>:<port> | awk '/-----BEGIN CERTIFICATE-----/ {p=1}; p; /-----END CERTIFICATE-----/ {p=0}' > presto.cert
  2. Use one of the following methods to add the certificate to the truststore:
    1. Add to your existing Java truststore. 
      keytool -import -trustcacerts -storepass changeit -noprompt -alias presto-cert -file ./presto.cert
    2. Create a new Java truststore. 
      keytool -import -alias presto-cert -file ./presto.cert -keystore ./presto-truststore.jks
  3. Check whether the certificate is imported correctly.
    1. If you added the certificate to existing Java truststore, run: 
      keytool -list -v -storepass changeit -alias presto-cert
      Note: changeit is the default password for the cacerts in Java.
    2. If you created a new Java truststore, run: 
      keytool -list -v -keystore ./presto-truststore.jks -alias presto-cert
  4. Install the certificate by using Presto (Java) CLI.
    1. If the certificate is in the existing truststore: 
      export PRESTO_PASSWORD=<your password>; Presto (Java) --password --server https://cpd-lh-bart-01.fyre.ibm.com:8443 --user <your username> --catalog "tpch" --execute "select * from tiny.customer limit 10;"
    2. If the certificate is in the new truststore: 
      export PRESTO_PASSWORD=<your password>; ./presto --truststore-path ./presto-truststore.jks --truststore-password=test123456 --password --server https://cpd-lh-bart-01.fyre.ibm.com:8443 --user ibmlhadmin --catalog "tpch" --execute "select * from tiny.customer limit 10;"
    Note: If the PRESTO_PASSWORD environment variable is used, Presto (Java) CLI does not prompt for password.
    Note: Provide the --truststore-path and --truststore-password arguments on the Presto (Java) command line.