Secure Setup with HTTPD and LDAP

Kinetica uses a packaged Apache HTTPD proxy solution, which should be managed via Kinetica. Kinetica uses core configuration values to generate Apache proxy settings and start the HTTPD service as part of the Kinetica stack. LDAP setup documentation is available for the following external authentication providers:

• LDAP (e.g., OpenLDAP)
• Microsoft Active Directory

The diagram below outlines how the secure setup works; red arrows are SSL/HTTPS connections, gray arrows are unsecure/HTTP connections, and blue arrows could be either secure or unsecure depending on your LDAP setup.

HTTPD Secure Setup

Enabling HTTPD, SSL, and LDAP

Kinetica can be configured to communicate with an LDAP server, such as OpenLDAP or Active Directory, but first you'll need to update Kinetica to talk with LDAP. Before making edits to any configuration files:

1. Ensure the LDAP instance is running and properly configured

2. Ensure GAdmin and Reveal (if enabled) have been initialized per the instructions found in Validating a Kinetica Install

3. Create a user in GAdmin using the External user conventions for each user in LDAP and ensure that the user is a member of the proper roles. See Security Concepts and Managing Users and Roles for more information

4. Ensure a valid SSL key and certificate have been created

5. Import the SSL certificate into a Java truststore using the following command:

   keytool -import -trustcacerts -file <path/to/cert/file> -alias cert_alias -keystore <desired/path/for/keystore.jks>
   

Important

After you've setup the files below, don't forget to update your firewall settings to allow HTTPD passthrough and to disable all incoming ports. For RHEL OSs, see Adjust the Firewall (RHEL) for more information; for Debian OSs, see Adjust the Firewall.

Database Configuration

You can read more about the various settings in the database config file here.

1. Navigate to /opt/gpudb/core/etc/gpudb.conf and update the following setting to remove the default value (*)

   http_allow_origin =
   

2. Update the following setting to true

   enable_httpd_proxy = true
   

3. Update the following settings as necessary. While these two settings are optional, it is important that at least require_authentication or enable_authorization be enabled for security purposes. If enable_authorization is set to false, everyone who logs in will have admin-level permissions. If require_authentication is set to false (and enable_authorization is set to true), everyone who connects without login credentials will be granted public role permissions. To read more about the default users and roles, see Security Concepts

   # Require authentication.
   require_authentication = true
   
   # Enable authorization checks.
   enable_authorization = true
   

4. Update head_ip_address as necessary

ODBC Configuration Files

1. Navigate to /opt/gpudb/connectors/odbcserver/client/etc/odbc.ini and update the following setting

   UseSsl=1
   

2. Navigate to /opt/gpudb/connectors/odbcserver/bin/GISFederal.GPUdbODBC.ini and update the following settings, ensuring you replace the SslCertfile and SslKeyFile setting values with the proper file paths

   UseSsl=1
   SslCertfile=<path/to/cert/file>
   SslKeyFile=<path/to/key/file>
   

HTTPD "NoAuth" Configuration

Note

Depending on what version of OpenSSL is installed on the system, the TLS version could be updated in the HTTPD "NoAuth" and "Data" Configuration sections. Customize as necessary.

1. Navigate to /opt/gpudb/httpd/conf/noauth.conf and uncomment the following settings, ensuring you replace the SSLCertificateFile and SSLCertificateKeyFile setting values with the proper file paths. Also note the updated SSLCipherSuite setting, which should be customized to work best with your environment; read the Apache HTTPD SSL Docs for more information

   SSLEngine On
   SSLProtocol -all +TLSv1.1
   SSLCipherSuite HIGH:!aNULL:!MD5
   SSLCertificateFile </path/to/cert>
   SSLCertificateKeyFile </path/to/key>
   SSLProxyEngine On
   RequestHeader set X-Forwarded-Proto "https"
   Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
   

HTTPD "Data" Configuration

1. Navigate to /opt/gpudb/httpd/conf/data.conf and uncomment the following settings, ensuring you replace the SSLCertificateFile and SSLCertificateKeyFile setting values with the proper file paths. Also note the updated SSLCipherSuite setting, which should be customized to work best with your environment; read the Apache HTTPD SSL Docs for more information

   SSLEngine On
   SSLProtocol -all +TLSv1.1
   SSLCipherSuite HIGH:!aNULL:!MD5
   SSLCertificateFile </path/to/cert>
   SSLCertificateKeyFile </path/to/key>
   SSLProxyEngine On
   RequestHeader set X-Forwarded-Proto "https"
   

2. Beneath the completed SSL section, add the following:

   Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
   Header set Access-Control-Max-Age "1000"
   Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
   

3. Restart Kinetica with service gpudb restart

Kinetica Components Configuration

After enabling LDAP and HTTPD, you'll need to reroute all Kinetica components to use the new HTTPD port (8082). Follow the sections below to update each component included with Kinetica.

GAdmin

1. Navigate to the /opt/gpudb/tomcat/webapps/gadmin/WEB-INF/classes/gaia.properties file and update the following setting, ensuring the host is correct for your setup

   gpudb_ext_url = https://localhost:8082/gpudb-0
   

2. Navigate to the /opt/gpudb/tomcat/conf/catalina.properties file and add the following settings to the bottom of the file, ensuring you replace the trustStore setting value with the proper file path and the trustStorePassword setting with the correct password

   javax.net.ssl.trustStore=</path/to/keystore>
   javax.net.ssl.trustStorePassword=<your-keystore-password>
   

Important

A keystore being added to catalina.properties will prevent security settings from being overwritten during a Kinetica upgrade

ODBC

• Navigate to /opt/gpudb/connectors/odbcserver/bin/GISFederal.GPUdbODBC.ini and update the URL setting to change to https and the port to 8082. Ensure the host is correct for your setup

  URL=https://localhost:8082
  

Reveal

Note

The AUTH_USER_REGISTRATION_ROLE setting in the config.py file can correspond to any role as long as the role is available in Reveal.

1. Navigate to /opt/gpudb/connectors/caravel/etc/config.py and confirm that the following setting is set to True.

   ENABLE_PROXY_FIX = True
   

2. Update the following setting to True.

   ENABLE_DB_AUTH = True
   

3. Uncomment the following settings.

   # Will allow user self registration
   AUTH_USER_REGISTRATION = True
   
   # The default user self registration role
   AUTH_USER_REGISTRATION_ROLE = "Dashboard"
   

4. Navigate to /opt/gpudb/connectors/caravel/etc/default.json and update the following settings, ensuring the hosts are correct for your setup .

   "api": {
     "url": "https://localhost:8082/gpudb"
   },
   "wms": {
     "url": "https://localhost:8082/gpudb/wms"
   },
   "gadmin": {
     "url": "https://localhost:8443/gadmin"
   },
   ...
   

5. Enable authentication and user auto creation.

   "auth": {
     "enable": true,
     "autocreateuser": true,
     ...
   }
   

Note

You may need to restart Reveal after making the above changes. Run /opt/gpudb/core/bin/gpudb caravel-restart

LDAP

The following instructions will help you setup Kinetica and HTTPD to work with LDAP, e.g., OpenLDAP.

Note

Kinetica comes packaged with an instance of OpenLDAP. Read more about how to use it on here.

HTTPD "Data" Configuration

• Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following settings, and update them as necessary. Read more about the HTTPD LDAP settings here.

  RewriteEngine On
  RewriteLog "logs/rewrite_log"
  RewriteLogLevel 0
  
  ...
  
  AuthName "Kinetica Authentication"
  
  ## LDAP server URL and full LDAP path to users directory
  AuthLDAPUrl ldap://127.0.0.1:9009/dc=gpudb,dc=com?uid?sub
  ## Valid LDAP user to use for search during bind
  AuthLDAPBindDN cn=admin,dc=gpudb,dc=com
  ## Password of user for search during bind
  AuthLDAPBindPassword admin
  
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
  
  <LimitExcept OPTIONS>
  Require valid-user
  </LimitExcept>
  
  ## Set the httpd REMOTE_USER environment variable to the LDAP value.
  AUTHLDAPRemoteUserAttribute uid
  
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule .* - [E=RU:%1]
  RequestHeader set REMOTE_USER %{RU}e
  

Microsoft Active Directory

The following instructions will help you setup Kinetica and HTTPD to work with Active Directory.

HTTPD "Data" Configuration

• Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following settings, and update them as necessary, ensuring you replace any instances of uid with samaccountname. Read more about the HTTPD LDAP settings here.

  RewriteEngine On
  RewriteLog "logs/rewrite_log"
  RewriteLogLevel 0
  
  ...
  
  AuthName "Kinetica Authentication"
  
  ## LDAP server URL and full LDAP path to users directory
  AuthLDAPUrl ldap://127.0.0.1:9009/dc=gpudb,dc=com?samaccountname?sub
  ## Valid LDAP user to use for search during bind
  AuthLDAPBindDN cn=admin,dc=gpudb,dc=com
  ## Password of user for search during bind
  AuthLDAPBindPassword admin
  
  AuthType Basic
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
  
  <LimitExcept OPTIONS>
  Require valid-user
  </LimitExcept>
  
  ## Set the httpd REMOTE_USER environment variable to the LDAP value.
  AUTHLDAPRemoteUserAttribute samaccountname
  
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule .* - [E=RU:%1]
  RequestHeader set REMOTE_USER %{RU}e