Securing Jupyter Notebook Server
You can secure your Jupyter Notebook Server installation with SSL encryption using SSL certificates.
The SSL certificates must be from a trusted provider, as Secure Web Sockets encryption does not
allow you to use
self-signed certificates, like an https request does.
About this task
For a demonstration of how to secure Jupyter Notebook Server, watch this video:
- Update the config.conf file for SSL encryption.
Tip: For more information see Configuring Jupyter Notebook Server.
- Set the value for CERTIFICATES_DIRECTORY_PATH with the path to the directory containing the authority certificates for the Jupyter server.
- Set the value for PROXY_CERTIFICATE_FILE_PATH with the path to the certificate file for the Jupyter server.
- Set the value for PROXY_KEY_FILE_PATH with the path to the private key file for the Jupyter server.
- Ensure that the administrator specifies https, rather than http, when they enable IBM Cognos Analytics for Jupyter Notebook.
- Register the Jupyter server with the Cognos Analytics server as a trusted third party
Regardless if Cognos Analytics server is set up for SSL, you must still register the Jupyter server in the Cognos Analytics trusted service store. Cognos Analytics will not forward a request to an https target without first verifying (by certificate) that the target is trusted and genuine.
This involves importing a copy of the certificate for the secured Jupyter server to the Cognos Analytics trusted service store using the ThirdPartyCertificateTool utility provided with Cognos Analytics, in the installation_location/bin directory. For more information, see ThirdPartyCertificateTool commands and examples.
For example, to import a certificate, type the following on a command line at the computer where Cognos Analytics is installed:
ThirdPartyCertificateTool -i -T -p NoPassWordSet -r fully_qualified_pathname_of_jupyter_certificate_file_in_pem_format
- Only if the Cognos Analytics server is also set up for SSL, register the Cognos
Analytics server with the Jupyter server as a trusted third party host.
- On the computer where Jupyter Server is installed, create a directory where the certificates will be stored.
- Edit the file config.conf and set the CERTIFICATES_DIRECTORY_PATH parameter to point to the directory that you just created.
- For each instance of Cognos Analytics that will connect to the Jupyter Server, copy
the certificate in Privacy Enhanced Mail (PEM) format for the Cognos Analytics server into the
certificates directory that you configured in step 4.b. Important: Even though the certificates must be in PEM format, they must have .crt file extensions.
- Rebuild the image:
In Linux, run jupyter_installation_location/dist/scripts/unix/build.sh
In Windows, run jupyter_installation_location/dist/scripts/windows/build.bat
- Restart the server:
In Linux, run jupyter_installation_location/dist/scripts/unix/start.sh
In Windows, run jupyter_installation_location/dist/scripts/windows/startup.bat