Security: Enable HTTPS
WARNING! Using HTTPS is always recommended. Otherwise, API tokens, credentials, and payloads are subject to hijack. HTTPS is always enabled and enforced for Integration Manager powered by DataCloud (SaaS) and VPC deployments.
SSL Certificates
HTTPS encryption is configured using a keystore file, which contains one or more SSL certificates. In general, SSL certificates have two functions:
• Encrypt communications
• Authenticate the identity of the certificate’s owner
There are two types of SSL certificates:
CA-signed
When you purchase a CA-signed certificate, you are required to undergo a validation process that confirms key identifying information. A CA-signed certificate is trusted by every browser or device that trusts the certificate authority. Certificate authorities are required to undergo regular audits and must comply with strict guidelines to be trusted.
Self-signed
When you sign a certificate yourself, you are not performing the requisite validation. Browsers have been designed to not trust certificates by default. Using a self-signed certificate will generate a browser error for any attempt to access over HTTPS. Self-signed certificates are appropriate only for testing environments and non-public networks.
Create a Keystore and Configure SSL Properties
To enable HTTPS, you must accomplish these tasks:
1. Create a keystore file and import certificate.
2. Configure Integration Manager’s SSL properties.
3. Import your certificates into your Java library.
Perform the following procedures to achieve these tasks.
Step 1: Create a Keystore and Import Certificate Using Java keytool
You may use either Java keytool or OpenSSL tools to generate, import, and manage certificates from the command line.
This step explains how to accomplish the task using keytool. For OpenSSL certificate instructions, see
https://www.openssl.org/.
You may create these two types of certificates:
• CA-signed certificate
• Self-signed certificate
Perform the appropriate procedure below to create the type of certificate you want to use.
To create and import a CA-signed certificate
1. Open a command console window and change directory to the JRE bin folder.
2. Create a new keystore file using Java keytool.
You may use whatever alias and filename you choose. Examples here use “integration- manager” and “keystore.p12,” respectively.
3. Create a certificate signing request file using your newly created keystore. For example:
> cd (ProgramData)/Actian/IntegrationManager/jre/bin
> keytool -genkey -alias integration-manager -keyalg RSA -keystore keystore.p12
> keytool -certreq -alias integration-manager -keyalg RSA -file certificate-signing-request.txt
-keystore keystore.p12
4. Send the certificate request to the Certificate Authority you are using.
Note: Wait for your new certificate to arrive before performing the next step.
5. When your certificate(s) arrive, import them (usually *.cer files) into your keystore.
Often, multiple cert files are provided, each with its own unique name. Note “root” and “intermediate” are merely example names. The “server” certificate will replace the existing self-signed one in the keystore, so you should use the same alias you specified in Step 2 when generating the signing request.
> keytool -import -alias root -keystore keystore.p12 -trustcacerts -file root.cer
> keytool -import -alias intermediate -keystore keystore.p12 -trustcacerts -file intermediate.cer
> keytool -import -alias integration-manager -keystore keystore.p12 -trustcacerts -file server.cer
Contact your certificate authority with any specific questions, concerns, or issues you encounter during import.
To create and import a self-signed certificate
Caution! Self-signed certs should not be used in production environments!
1. Open a command console window and change directory to the JRE bin folder.
2. Create a new keystore file using the Java keytool.
You may use whatever alias and filename you choose. Examples here use “integration- manager” and “keystore.p12,” respectively.
3. You will be prompted to set a keystore password and add identity details (name, company, address, and so on).
> cd (ProgramData)/Actian/IntegrationManager/jre/bin
> keytool -genkeypair -alias integration-manager -keyalg RSA -keysize 2048 -storetype PKCS12
-keystore keystore. p12 -validity 3650
Step 2: Configure Integration Manager SSL Properties
• Examples in this step use “integration- manager” and “keystore.p12,” respectively.
• These properties apply to both self-signed and CA-signed keystores.
• Changing any entries in the application.properties file requires the Integration Manager Service to be restarted.
• It is best practice to ensure you have no duplicate properties in your file.
# Enable SSL security.require-ssl=true server.port=443
server.ssl.key-alias=integration-manager
server.ssl.key-store=${sharedDataPath}/conf/ssl/keystore.p12 server.ssl.key-store-password=D0N0tU5eTh1sP@ssW0rd! server.ssl.key-store-type=PKCS12
im.base-url=https://IM_SERVER_HOSTNAME:${server.port}
Step 3: Import Your Certificates into Java jre/lib/security/cacerts
The “cacerts” directory is an embedded keystore for the Java Runtime Environment.
To import your certificates
1. Export the certificate out of the keystore:
> keytool -exportcert -alias integration-manager -keystore keystore.p12 -file integration-manager.cer - storetype pkcs12 -noprompt -storepass D0N0tU5eTh1sP@ssW0rd!
2. Import the certificate to the jre/lib/security/cacerts keystore:
> keytool -import -alias integration-manager -file integration-manager.cer -keystore "(ProgramData)/Actian
/IntegrationManager/jre/lib/security/cacerts" -storepass D0N0tU5eTh1sP@ssW0rd!