Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DEV and version next

...

After you have installed and configured the 

D s platform
rtrue
 and verified operations, you may optionally choose to generate and install configure an SSL certificate for use in to secure connections to the web application of the platform.

Pre-requisites

  1. You must generate a A valid SSL certificate for the
    D s platform
    . The certificate must match the domain FQDN where the
    d-s-itemwebapp
    nodenode
     is installed.You must have root access to the  is hosted
  2. Root access to the
    D s item
    nodenode
    .Validate that the
    itemserver
  3. D s platform
     is up and running correctly.

Configure nginx

:

Excerpt

To enable SSL connections, you must make changes to the configuration for Nginx, a proxy server packaged with the platform. You must apply changes to the There are two separate Nginx services on the server: one service for internal application use, and one service that functions as a proxy between users and the

d-s-item
configurationconfiguration
 to reference the generated SSL certificate.  

You must generate a valid SSL certificate for

webapp
. To install the SSL certificate, all configuration are applied to the proxy process only.

Steps:

  1. Log into the 

    d-s-
    platform. The certificate must match the domain where the 
    D s item
    itemnode
     is installed. 

    1. The SSL certificate and the private key must be installed on the node in an accessible location.
    2. The steps to do so exceed the scope of this document.
  2. Login to the 

    D s platform
     as the root user.
     

  3. An example SSL configuration file is located in the 
D s item
deploymentdeployment
Code Block
item
itemserver
as the centos user. Switch to the root user:

Code Block
sudo su
  • Enable the proxy nginx service so that it starts on boot:

    Code Block
    systemctl enable nginx


  • Create a folder for the private key and limit access to it:

    Code Block
    sudo mkdir /etc/ssl/private/ && sudo chmod 700 /etc/ssl/private
  • Copy the following files to the server. If you copy and paste the content, please ensure that you do not miss characters or insert unwanted characters.

    1. The .key file should go into the /etc/ssl/private/ directory.
    2. The .crt file and the CA bundle/intermediate certificate bundle should go into the /etc/ssl/certs/ directory.

      Info

      NOTE: The delivery name and format of these files varies by provider. Please verify with your provider's documentation if this is unclear.

    3. Your certificate and the intermediate/authority certificate must be combined into one file for nginx. Here is an example of how to combine them together:

      Code Block
      cat example_com.crt bundle.crt >> ssl-bundle.crt
  • Update the permissions on these files. Modify the following filenames as necessary:

    Code Block
    sudo chmod 600 /etc/ssl/certs/ssl-bundle.crt
    sudo chmod 600 /etc/ssl/private/your-private-cert.key
  • Use the following commands to deploy the example SSL configuration file provided on the server:

    D s property overflow

    Code Block
    cp /opt/trifacta/conf/ssl-nginx.conf.sample

     

    Create a copy of the above file, and rename it to trifacta.conf
     /etc/nginx/conf.d/trifacta.conf && \
    rm /etc/nginx/conf.d/default.conf
  • Edit the following file:

    Code Block
    /etc/nginx/conf.d/trifacta.conf
  • Please make the following modifications:

    DirectiveDescription
    server_nameFQDN of the host, which must match the SSL certificate's Common Name
    ssl_certificatePath to the file of the certificate bundle that you created on the server. This value may not require modification.
    ssl_certificate_keyPath to the .key file on the server.


    Example file:

    Code Block
    server {
      listen          443;
      ssl             on;
      server_name     *EXAMPLE.cloudCUSTOMER.trifacta.comCOM;
      # Don't limit the size of client uploads.
      client_max_body_size 0;
      access_log      /var/log/nginx/ssl-access.log;
      error_log       /var/log/nginx/ssl-error.log;
      ssl_certificate      /usretc/sharessl/nginxcerts/ssl/trifacta-bundle.cercrt;
      ssl_certificate_key  /usretc/sharessl/nginx/ssl/trifactacerts/EXAMPLE-NAME.key;
      ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers RC4:HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      keepalive_timeout    60;
      ssl_session_cache    shared:SSL:10m;
      ssl_session_timeout  10m;
      location / {
        proxy_pass  http://localhost:3005;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_redirect     off;
      }
      proxy_connect_timeout       6000;
      proxy_send_timeout          6000;
      proxy_read_timeout          6000;
      send_timeout                6000;
    }
    server {
      listen          80;
      return 301 https://$host$request_uri;
    }
  • Remove the generic default.conf from /etc/nginx/conf.d, and copy the sample that you modified above into /etc/nginx/conf.d:

    Code Block
    cd /etc/nginx/conf.d
    rm /etc/nginx/conf.d/default.conf
    cp ~/trifacta.conf /etc/nginx/conf.d/

     

    Tip

    Tip: You can also use vi to create a trifacta.conf. Copy the above content into the file using the following command:

    Code Block
    vi /etc/nginx/conf.d/trifacta.conf
  • Modify the server_name value to match the domain name created for the SSL certificate:

    Code Block
    server {
      listen          443;
      ssl             on;
      server_name     *.customer.com;
    ...

     

  • Modify the ssl_certificate and ssl_certificate_key values to point to the certificate and private key installed on the  D s itemnodenode:
    Code Block
    ...
      ssl_certificate      /usr/share/nginx/ssl/customerSSL.cer;
      ssl_certificate_key  /usr/share/nginx/ssl/customerSSL.key;
    ...

     

  • Save the file. Then, set the proper read permission for all necessary files. For example:

    Code Block
    chmod 644 /etc/nginx/conf.d/trifacta.conf
    chmod 644 /usr/share/nginx/ssl/customerSSL.cer
    chmod 644 /usr/share/nginx/ssl/customerSSL.key

     

  • Restart the nginx service to pick up the new configurationSave the file.

  • To apply the new configuration, start or restart the nginx service:

    Code Block
    service nginx restart
  • Modify listening port for
    D s platform

    If you have changed the listening port as part of the above configuration change, then the proxy.port setting in

    D s platform
    configuration must be updated.

    Steps:

  • D s config
  • Locate the following parameter:

    Code Block
    "proxy.port": 3005,
  • Set the value to the port number that you configured in the nginx configuration file. Typically, this port number is 443.
  • Save your changes and restart the platform

    See Change Listening Port.

    Add secure HTTP headers

    If you have enabled SSL on the platform, you can optionally insert the following additional headers to all requests to the

    D s item
    itemnode
    :

    HeaderProtocolRequired Parameters
    X-XSS-ProtectionHTTP and HTTPS  proxy.securityHeaders.enabled=true
    X-Frame-OptionsHTTP and HTTPS proxy.securityHeaders.enabled=true
    Strict-Transport-SecurityHTTPS

    proxy.securityHeaders.enabled=true and

    proxy.securityHeaders.httpsHeaders=true

    Info

    NOTE: SSL must be enabled to apply these security headers.

    Steps:

    To add these headers to all requests, please apply the following change:

    1. D s config
    2. Locate the following setting and change its value to true:

      Code Block
      "proxy.securityHeaders.httpsHeaders": false,
    3. Save the file. Restart your changes and restart the platform. See Start and Stop the Platform.

    Enable secure cookies

    If you have enabled SSL on the platform, you can optionally enable the use of secure cookies.

    Info

    NOTE: SSL must be enabled to apply these security headers.

    Steps:

    1. D s config
    2. Locate the following setting and change its value to true:

      Code Block
      "webapp.session.cookieSecureFlag": false,
    3. Save the file. Restart your changes and restart the platform. See Start and Stop the Platform.