Skip to content

Myria REST server SSL support

Jump to bottom Edit New page
Daniel Halperin edited this page Mar 2, 2015 · 3 revisions

Myria supports SSL for the REST server. The configuration is done via the sqlite3 master catalog.

  1. Create a Java keystore that contains the SSL public and private keys. I followed the instructions here: http://stackoverflow.com/a/17710626/1715495

    More detailed list of commands that I ran, and what they did:

    

    2. 

  2. 

    (Maybe optional) UW uses InCommon certificates. Many clients want to see the entire certificate chain, which necessitates combining the InCommon certificate itself with ours. First, I pulled the InCommon CA cert out of my local Keychain.
in Keychain.app: login > certificate, grab InCommon CA > export items > InCommon.pem
    

    3. 



1a: I used Qualsys SSL Labs to verify that I had done this correctly. It took me a long time.
https://www.ssllabs.com/ssltest/analyze.html?d=demo.myria.cs.washington.edu&latest


    

  1. 

    Combine the InCommon cert with the host cert, for both the MyriaX REST server and the Google AppEngine demo server:
cat InCommon\ Server\ CA.pem /Volumes/myria/rest.myria.cs.washington.edu.crt > both_rest_certs.pem
cat InCommon\ Server\ CA.pem /Volumes/myria/demo.myria.cs.washington.edu.crt > both_demo_certs.pem -- for google app engine
    

    2. 

  2. 

    Use OpenSSL to put all the certs together into a keystore, including both public and private. Use a new, random password for this.
openssl pkcs12 -export -name rest.myria.cs.washington.edu -in both_rest_certs.pem -inkey /Volumes/myria/rest.myria.cs.washington.edu.key -out keystore.p12
    

    3. 

  3. 

    Use the Java keytool to create a Java keystore. GIVE THE JAVA KEYSTORE THE SAME PASSWORD AS IN THE PREVIOUS STEP.
keytool -importkeystore -destkeystore rest.myria.cs.washington.edu.jks -srckeystore keystore.p12 -srcstoretype pkcs12
    

    4. 

  4. 

    Move the Java keystore to the myria-production-files directory, add the password to the master catalog according to below
    

    5. 





IT IS IMPORTANT THAT YOU USE THE SAME PASSWORD IN STEPS 3 AND 4


OTHERWISE YOU WILL GET SSL VALIDATION FAILURES





2. Set the [right values](https://github.com/uwescience/myria/blob/56de54ce9993bde0289fa2dee08ba9319ff15799/src/edu/washington/escience/myria/api/MyriaApiConstants.java#L21) in the master configuration:

    ```sql
insert into configuration(key,value) VALUES ('myria.master_api_server.ssl.keystore_path', 'rest.myria.cs.washington.edu.jks');
insert into configuration(key,value) VALUES ('myria.master_api_server.ssl.keystore_password', 'KEYSTORE_PASSWORD_GOES_HERE');



    

  1. Make sure you put the keystore at the right path.
    2. 



Whenever the configuration values in step 2 are set, Myria will enable SSL.


              


              

                
                   Add a custom footer
              

          



  
          

            

              

                
                   Add a custom sidebar
              


            
Clone this wiki locally