Enabling HTTPS
To secure communications to the Control Hub UI and REST API, enable both Control Hub and the separate Admin tool to use HTTPS. HTTPS requires an SSL/TLS certificate.
By default, both Control Hub and the Admin tool use HTTP. StreamSets recommends using HTTPS in a production environment. HTTPS requires SSL/TLS certificates.
Prerequisites
Before you enable HTTPS for Control Hub, complete the following requirements:
- Obtain access to OpenSSL and Java keytool
- If you do not have a keystore file that includes an SSL/TLS certificate signed
by a certificate authority (CA), you can request a certificate and create the
keystore file using the following tools:
- OpenSSL - Use OpenSSL to create a Certificate Signing Request (CSR) that you send to the CA of your choice, as well as to create the keystore and truststore files. For more information, see the OpenSSL documentation.
- Java keytool - You can also use Java keytool to create a CSR and to create keystore and truststore files. Java keytool is part of the Java Development Kit (JDK). For more information, see the keytool documentation.
- Generate an SSL/TLS certificate and private key signed by a certificate authority (CA)
- Control Hub provides a self-signed certificate that you can use. However, web browsers generally issue a warning for self-signed certificates. StreamSets strongly recommends that you generate a private key and public certificate signed by a trusted CA.
Step 1. Create a Keystore File
Create a keystore file that includes the private key and public certificate signed by the CA. A keystore is used to verify the identity of the client upon a request from an SSL/TLS server.
StreamSets recommends creating a keystore in the PKCS #12 (p12 file) format. In most cases, a CA issues certificates in PEM format. Use OpenSSL to directly import the certificate into a PKCS #12 keystore.
Step 2. Create a Truststore File (Optional)
A truststore file contains certificates from trusted CAs that an SSL/TLS client uses to verify the identity of an SSL/TLS server.
By default, Control Hub uses the Java truststore file located in $JAVA_HOME/jre/lib/security/cacerts. If your certificate is signed by a trusted CA that is included in the default Java truststore file, you do not need to create a truststore file and can skip this step.
If your certificate was signed by a private CA or not trusted by the default Java truststore, you must create a custom truststore file or modify a copy of the default Java truststore file to add the root and intermediate CA certificates to the truststore file. For example, if your organization generates its own certificates, you must add the root and intermediate certificates for your organization to the truststore file.
In these steps, we show how to modify a copy of the default truststore file to add an additional CA to the list of trusted CAs. If you prefer to create a custom truststore file, see the keytool documentation.
- Java keystore file (JKS)
- PKCS #12 (p12 file)
Step 3. Configure Control Hub to Use HTTPS
Modify the Control Hub configuration files to configure Control Hub and the Admin tool to use a secure port and your keystore file. If you created a custom truststore file or modified a copy of the default Java truststore file, configure Control Hub to use that truststore file.
Step 4. Configure the Truststore File for Clients (Optional)
If the Control Hub SSL/TLS certificate was signed by a private CA, then you also must configure Control Hub clients - registered Data Collectors and Transformers - to use a modified truststore file that includes the certificate for the private CA.
By default, both Data Collector and Transformer use the Java truststore file located in $JAVA_HOME/jre/lib/security/cacerts. If the certificate generated for Control Hub was signed by a trusted CA that is included in this truststore file, you can skip this step.
Configuring the Truststore for Data Collectors
Data Collector can use truststore files in the JKS or PKCS #12 format.
Configuring the Truststore for Transformers
Transformer can use truststore files in the JKS or PKCS #12 format.