Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Outdated release! Latest docs are Release 8.2: Install SSL Certificate

   

Contents:


After you have installed and configured the Trifacta® platform and verified operations, you may optionally choose to generate and install an SSL certificate for use in secure connections to the web application of the platform.

Pre-requisites

  1. You must generate a valid SSL certificate for the Trifacta platform. The certificate must match the domain where the Trifacta node is installed.
  2. You must have root access to the Trifacta node.
  3. Validate that the Trifacta platform is running correctly.

Configure nginx

To enable SSL connections, you must make changes to the configuration for Nginx, a proxy server packaged with the platform. You must apply changes to the Trifacta configuration to reference the generated SSL certificate.  

  1. You must generate a valid SSL certificate for the Trifacta platform. The certificate must match the domain where the Trifacta node is installed. 

    1. The SSL certificate and the private key must be installed on the node in an accessible location.
    2. The steps to do so exceed the scope of this document.
  2. Login to the Trifacta platform as the root user.
     

  3. An example SSL configuration file is located in the Trifacta deployment:

    /opt/trifacta/conf/ssl-nginx.conf.sample

     

  4. Create a copy of the above file, and rename it to trifacta.conf:

    server {
      listen          443;
      ssl             on;
      server_name     *.cloud.trifacta.com;
      # Don't limit the size of client uploads.
      client_max_body_size 0;
      access_log      /var/log/nginx/ssl-access.log;
      error_log       /var/log/nginx/ssl-error.log;
      ssl_certificate      /usr/share/nginx/ssl/trifacta.cer;
      ssl_certificate_key  /usr/share/nginx/ssl/trifacta.key;
      ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers RC4:HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      keepalive_timeout    60;
      ssl_session_cache    shared:SSL:10m;
      ssl_session_timeout  10m;
      location / {
        proxy_pass  http://localhost:3005;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_redirect     off;
      }
      proxy_connect_timeout       6000;
      proxy_send_timeout          6000;
      proxy_read_timeout          6000;
      send_timeout                6000;
    }
    server {
      listen          80;
      return 301 https://$host$request_uri;
    }
  5. Remove the generic default.conf from /etc/nginx/conf.d, and copy the sample that you modified above into /etc/nginx/conf.d:

    cd /etc/nginx/conf.d
    rm /etc/nginx/conf.d/default.conf
    cp ~/trifacta.conf /etc/nginx/conf.d/

     

    Tip: You can also use vi to create a trifacta.conf. Copy the above content into the file using the following command:

    vi /etc/nginx/conf.d/trifacta.conf
  6. Modify the server_name value to match the domain name created for the SSL certificate:

    server {
      listen          443;
      ssl             on;
      server_name     *.customer.com;
    ...

     

  7. Modify the ssl_certificate and ssl_certificate_key values to point to the certificate and private key installed on the Trifacta node:

    ...
      ssl_certificate      /usr/share/nginx/ssl/customerSSL.cer;
      ssl_certificate_key  /usr/share/nginx/ssl/customerSSL.key;
    ...

     

  8. Save the file. Then, set the proper read permission for all necessary files. For example:

    chmod 644 /etc/nginx/conf.d/trifacta.conf
    chmod 644 /usr/share/nginx/ssl/customerSSL.cer
    chmod 644 /usr/share/nginx/ssl/customerSSL.key

     

  9. Restart the nginx service to pick up the new configuration:

    service nginx restart

     

Add secure HTTP headers

If you have enabled SSL on the platform, you can optionally insert the following additional headers to all requests to the Trifacta node:

HeaderProtocolRequired Parameters
X-XSS-ProtectionHTTP and HTTPS proxy.securityHeaders.enabled=true
X-Frame-OptionsHTTP and HTTPSproxy.securityHeaders.enabled=true
Strict-Transport-SecurityHTTPS

proxy.securityHeaders.enabled=true and

proxy.securityHeaders.httpsHeaders=true

NOTE: SSL must be enabled to apply these security headers.

Steps:

To add these headers to all requests, please apply the following change:

  1. You can apply this change through the Admin Settings Page (recommended) or
    trifacta-conf.json
    . For more information, see Platform Configuration Methods.
  2. Locate the following setting and change its value to true:

    "proxy.securityHeaders.httpsHeaders": false,
  3. Save the file. Restart the platform. See Start and Stop the Platform.

Enable secure cookies

If you have enabled SSL on the platform, you can optionally enable the use of secure cookies.

NOTE: SSL must be enabled to apply these security headers.

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or
    trifacta-conf.json
    . For more information, see Platform Configuration Methods.
  2. Locate the following setting and change its value to true:

    "webapp.session.cookieSecureFlag": false,
  3. Save the file. Restart the platform. See Start and Stop the Platform.

  • No labels

This page has no comments.