Question
How do we import SSL certificates into Digital Hive?
Answer
There are two different scenarios that a certificate may need to be imported:
- When you want to secure Digital Hive's SSL listener. For example, this is needed if you don't want to use the self-signed certificates and avoid seeing the NET::ERR_CERT_AUTHORITY_INVALID message
- When you want to secure the Digital Hive communication downstream with a connector, for example, IBM Cognos Analytics or Tableau
Importing Certificates to Secure Digital Hive's SSL Listener
The important things to consider when securing Digital Hive's SSL Listener is that the certificate needs to contain both the private and public keys and also needs the full chain. There are several types of certificates that you may be given to secure the SSL listener. We find that the .pfx certificates are the easiest to import, but that is not a requirement. Here are some examples of how to import .pfx and .cer certificates and some other useful keytool comamnds. All of these examples are run in a Command Prompt Run, the certificates were placed in the c:\certificates folder and Digital Hive was installed on the c drive. Replace the paths and file names to match what is in your environment. Also, if you haven't changed the keystore password, when prompted enter theia_pass
Importing a .pfx
c:\DigitalHive\Java\bin\keytool -importkeystore -srckeystore c:\certificates\dh_cert.pfx -srcstoretype pkcs12 -destkeystore c:\DigitalHive\app\node1\tomcat\conf\keystore.jks -deststoretype jks -destkeypass theia_pass
Importing a .cer
c:\DigitalHive\Java\bin\keytool -import -keystore c:\DigitalHive\app\node1\tomcat\conf\keystore.jks -file c:\certificates\dh_cert.cer -alias theia
Viewing what is in the keystore
c:\DigitalHive\Java\bin\keytool -list -v -keystore c:\DigitalHive\app\node1\tomcat\conf\keystore.jks
Deleting the self-signed cert
c:\DigitalHive\Java\bin\keytool -delete -alias theia -keystore c:\DigitalHive\app\node1\tomcat\conf\keystore.jks
Certificates with multiple SANs
In this example, you have two SANs called domain1.example.com and domain2.example.com. To do this you would need to include the following option
-ext SAN=dns:domain1.example.com, dns:domain2.example.com
Importing a Certificate into cacerts
These certificates are imported for something that Digital Hive will talk to downstream like Cognos Analytics, Tableau, etc.
- Open a Command Prompt as Administrator
- Run this command, switching the paths file names to match your environment
c:\DigitalHive\Java\bin\keytool -import -keystore c:\DigitalHive\Java\lib\security\cacerts -file c:\certificates\tableau_cert.cer -alias tableau - When prompted for password, enter changeit