Pentaho Tools :

Pentaho C-Tools(CDE,CDF,CDA),Pentaho CE & EE Server,OLAP-Cubes,Analysis using Pivot4J, Saiku Analytics, Saiku Reporting, Ad-hoc Reporting using Interactive Reporting Tool,Dashboards,Reports using PRD, PDD,Data Integration using Kettle ETL,Data Mining usign WEKA,Integration of Servers with Databases,Mobile/iPad compatible Dashboards using Bootstrap Css,Drilldown dashboards,Interactive Dashboards

Saturday, 30 May 2015

Self-Signed SSL/TLS Configuration HOW-TO with Pentaho CE 5.3 BA Server || change http://localhost:8080/pentaho TO https://localhost:8443/pentaho/Login

It's a weekend playing with Pentaho CE 5.3 Business Analytics  server. Yeah..!!! it is. I love playing with Pentaho  BI suite though it is a small outcome or a bigger. I can't classify this post is a bigger or smaller but I just want to share how I did this and hope this will helpful to someone, somewhere across the globe who is/are looking for the same.

Special thanks to Madhava & Piyush Bhatt for making me to explore this. 


Technology : 
* Pentaho BA Server CE 5.3
* Tomcat-7
* Java 1.7 (Oracle Java)
* Operating System : Windows-7 Home Premium. 
* Web browsers used to test : Google Chrome & Internet Explorer 

Aim of the article : 
Install SSL certificate to Pentaho BA Server 
i.e., change http://localhost:8080/pentaho TO https://localhost:8443/pentaho

What is Secure Sockets Layer (SSL) ?
  • It is  technology which allow web browsers and web servers to communicate over a secured connection. 
  • This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. 
  • This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.
  • Another important aspect of the SSL/TLS protocol is Authentication. 
  • This means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a "Certificate", as proof the site is who and what it claims to be. In certain cases, the server may also request a Certificate from your web browser, asking for proof that you are who you claim to be. This is known as "Client Authentication,"
  •  Although in practice this is used more for business-to-business (B2B) transactions than with individual users. Most SSL-enabled web servers do not request Client Authentication.
Step by Step procedure :

1) Make sure java 1.7 is installed in machine & set JAVA_HOME in environment variables. 

2) Also make sure Pentaho BA server is running as a test drive before installing SSL certificate. 

3) There are two types of certificates we can install. 
     a) Self- Signed certificate ( Not trusted)
     b) Certificate from a certificate authority. 

4) This procedure is with Self-Signed based on self-signed certificate. 

5) Navigate to the bin folder of JAVA installed from command prompt in Admin mode. 
   Example : 
  C:\Program Files\Java\jdk1.7.0_79\bin

6) To create a new JKS keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
Example : 
  C:\Program Files\Java\jdk1.7.0_79\bin>ketytool.exe -genkey -alias tomcat -keyalg RSA

7) The command will ask us enter password  and few other details. The default password we can use is "changeit" or developer is flexible to give any name. 
Example : changeit (Enter the password twice as it asks). 


8) As shown in above command line utility finish giving all the other details & the last password could be same as first password or it could differ. 

9) As soon as it re-directs to the path back, it will generate a certificate named as ".keystore" in system(computer) user location. 
Example : 
Location of User : C:\Users\sadakar\ (file directory)
File Name to find : .keystore

Note that .keystore is the self-signed certificate generated. 

10) Now, install the above certificate to pentaho tomcat server. i.e., configure the certificate to the tomcat server.xml file.

Location of server.xml file : 
E:\2_Archive_Installed\pentaho\biserver-ce-5.3.0.0-213\biserver-ce\tomcat\conf

Add below code : ( There is already a piece of code available in the file , un-comment the code and add new attributes to the tag). 

The final code should look like as below. 

<!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation ${user.home}/.keystore-->
    
    <Connector 
                       URIEncoding="UTF-8" 
                       port="8443" 
                       protocol="HTTP/1.1" 
                      SSLEnabled="true"
                      maxThreads="200" 
                      scheme="https" 
                      secure="true"
             keystoreFile="C:\Users\sadakar.p\.keystore" 
                     keystorePass="changeit"
                     clientAuth="false" 
                     sslProtocol="TLS" />



NOTE : 
The .keystore file is hard coded - we can replace it by  ${user.home}/.keystore

11) Start the pentaho BA server 
(E:\2_Archive_Installed\pentaho\biserver-ce-5.3.0.0-213\biserver-ce\start-pentaho.bat)

12) Go to any web browser and type this URL : https://localhost:8433

Sample pentaho login screen with self-signed certificate installed 

(Google Chrome)


14) Internet Explorer output
a) 

b) 


15) Sample pentaho login screen with out certificate installed
(Google Chrome)



IMP NOTE :
This is not a production related document instead a development experiment. 
* JKS -  Java Key Storke - A repository of security certificates. 


- Sadakar Pochampalli