Search…
Implementing a Secure Binary Interface
Follow these instructions to start an OmniSci server with an encrypted main port.

Required PKI Components

You need the following PKI (Public Key Infrastructure) components to implement a Secure Binary Interface.
    A CRT (short for certificate) file containing the server's PKI certificate. This file must be shared with the clients that connect using encrypted communications. Ideally, this file is signed by a recognized certificate issuing agency.
    A key file containing the server's private key. Keep this file secret and secure.
    A Java TrustStore containing the server's PKI certificate. The password for the trust store is also required.
Although in this instance the trust store contains only information that can be shared, the Java TrustStore program requires it to be password protected.
    A Java KeyStore and password.
    In a distributed system, add the configuration parameters to the omnisci.conf file on the aggregator and all leaf nodes in your OmniSciDB cluster.

Demonstration Script to Create "Mock/Test" PKI Components

You can use OpenSSL utilities to create the various PKI elements. The server certificate in this instance is self-signing, and should not be used in a production system.
    1.
    Generate a new private key.
    1
    openssl genrsa -out server.key 2048
    Copied!
    2.
    Use the private key to generate a certificate signing request.
    1
    openssl req -new -key server.key -out server.csr
    Copied!
    3.
    Self sign the certificate signing request to create a public certificate.
    1
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    Copied!
    4.
    Use the Java tools to create a key store from the public certificate.
    1
    keytool -importcert -file server.crt -keystore server.jks
    Copied!
To generate a keystore file from your server key:
    1.
    Copy server.key to server.txt. Concatenate it with server.crt.
    1
    cp server.key server.txt
    2
    cat server.crt >> server.txt
    Copied!
    2.
    Use server.txt to create a PKCS12 file.
    1
    openssl pkcs12 -export -in server.txt -out server.p12
    Copied!
    3.
    Use server.p12 to create a keystore.
    1
    keytool -importkeystore -v -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype pkcs12
    Copied!

Start the Server in Encrypted Mode with PKI Client Authentication

Start the server using the following options.
1
--pki-db-client-auth true
2
--ssl-cert
3
--ssl-private-key
4
--ssl-trust-store
5
--ssl-trust-password
6
--ssl-keystore
7
--ssl-keystore-password
8
--ssl-trust-ca
9
--ssl-trust-ca-server
Copied!

Example

1
sudo start omnisci_server --port 6274 --data /data --pki-db-client-auth true
2
--ssl-cert /tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem
3
--ssl-private-key /tls_certs/self_signed_server.example.com_self_signed/private/self_signed_server.example.com_key.pem
4
--ssl-trust-store /tls_certs/self_signed_server.example.com_self_signed/trust_store_self_signed_server.example.com.jks
5
--ssl-trust-password truststore_password
6
--sslkeystore /tls_certs/self_signed_server.example.com_self_signed/key_store_self_signed_server.example.com.jks
7
--ssl-keystore-password keystore_password
8
--ssl-trust-ca = "/tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem"
9
--ssl-trust-ca-server /tls_certs/ca_primary/ca_primary_cert.pem
Copied!

Configuring omnisci.conf for Encrypted Connection

Alternatively, you can add the following configuration parameters to omnisci.conf to establish a Secure Binary Interface. The following configuration flags implement the same encryption shown in the runtime example above:
1
# Start pki authentication
2
pki-db-client-auth = true
3
ssl-cert = "/tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem"
4
ssl-private-key = "/tls_certs/self_signed_server.example.com_self_signed/private/self_signed_server.example.com_key.pem"
5
ssl-trust-store = "/tls_certs/self_signed_server.example.com_self_signed/trust_store_self_signed_server.example.com.jks"
6
ssl-trust-password = "truststore_password"
7
ssl-keystore = "/tls_certs/self_signed_server.example.com_self_signed/key_store_self_signed_server.example.com.jks"
8
ssl-keystore-password = "keystore_password"
9
ssl-trust-ca = "/tls_certs/self_signed_server.example.com_self_signed/self_signed_server.example.com.pem"
10
ssl-trust-ca-server = "/tls_certs/ca_primary/ca_primary_cert.pem"
Copied!
Passwords for the SSL truststore and keystore can be enclosed in single (') or double (") quotes.

Why Use Both server.crt and a Java TrustStore?

The server.crt file and the Java truststore contain the same public key information in different formats. Both are required by the server to establish both the secure client communication with the various interfaces and with its Calcite server. At startup, the Java truststore is passed to the Calcite server for authentication and to encrypt its traffic with the OmniSci server.
Last modified 1yr ago