Securing Jupyter Notebook Server

You can secure your Jupyter Notebook Server installation with SSL encryption using SSL certificates.

The SSL certificates must be from a trusted provider, as Secure Web Sockets encryption does not allow you to use self-signed certificates, like an https request does.

Note: If the Cognos Analytics server is secured with SSL, then the Jupyter Notebook server must also be secured with SSL. Similarly, if the Cognos Analytics server is not secured with SSL, the Jupyter Notebook server must also not be secured with SSL.

About this task

For a demonstration of how to secure Jupyter Notebook Server, watch this video:

A demonstration of how to secure Jupyter Notebook Server

Procedure

  1. Update the config.conf file for SSL encryption.
    1. Set the value for CERTIFICATES_DIRECTORY_PATH with the path to the directory containing the authority certificates for the Jupyter server.
    2. Set the value for PROXY_CERTIFICATE_FILE_PATH with the path to the certificate file for the Jupyter server.
    3. Set the value for PROXY_KEY_FILE_PATH with the path to the private key file for the Jupyter server.
    Tip: For more information see Configuring Jupyter Notebook Server.
  2. Ensure that the administrator specifies https, rather than http, when they enable IBM Cognos Analytics for Jupyter Notebook.
  3. Register the Jupyter server with the Cognos Analytics server as a trusted third party host.

    Regardless if Cognos Analytics server is set up for SSL, you must still register the Jupyter server in the Cognos Analytics trusted service store. Cognos Analytics will not forward a request to an https target without first verifying (by certificate) that the target is trusted and genuine.

    This involves importing a copy of the certificate for the secured Jupyter server to the Cognos Analytics trusted service store using the ThirdPartyCertificateTool utility provided with Cognos Analytics, in the installation_location/bin directory. For more information, see ThirdPartyCertificateTool commands and examples.

    For example, to import a certificate, type the following on a command line at the computer where Cognos Analytics is installed:

    ThirdPartyCertificateTool -i -T -p NoPassWordSet -r fully_qualified_pathname_of_jupyter_certificate_file_in_pem_format

  4. Only if the Cognos Analytics server is also set up for SSL, register the Cognos Analytics server with the Jupyter server as a trusted third party host.
    1. On the computer where Jupyter Server is installed, create a directory where the certificates will be stored.
    2. Edit the file config.conf and set the CERTIFICATES_DIRECTORY_PATH parameter to point to the directory that you just created.
    3. For each instance of Cognos Analytics that will connect to the Jupyter Server, copy the certificate in Privacy Enhanced Mail (PEM) format for the Cognos Analytics server into the certificates directory that you configured in step 4.b.
      Important: Even though the certificates must be in PEM format, they must have .crt file extensions.
    4. Rebuild the image:

      In Linux, run jupyter_installation_location/dist/scripts/unix/build.sh

      In Windows, run jupyter_installation_location/dist/scripts/windows/build.bat

    5. Restart the server:

      In Linux, run jupyter_installation_location/dist/scripts/unix/start.sh

      In Windows, run jupyter_installation_location/dist/scripts/windows/startup.bat

Results

The Jupyter Notebook Server is secured with SSL encryption.