- HTTPD — Hides internal ports
- HTTPD with SSL — Hides internal ports and secures connections
- HTTPD with External Authentication — Hides internal ports and enables & configures external authentication
- HTTPD with SSL and External Authentication — Hides internal ports, secures connections, and enables & configures external authentication
The sections below describe how to manually configure the database for a
secure setup. To enable HTTPD, SSL, and/or External Authentication
automatically, see KAgent.
Prerequisites
Before configuring your Kinetica cluster using the sections below, the following requirements should be met:- If using an external authentication system, ensure it is running
- Ensure GAdmin has been initialized per the instructions found in Validate Kinetica and the default username and password have been updated
-
Stop host manager using:
-
Update your firewall settings to allow HTTPD passthrough (i.e.
8082,8443,8444,8445) and to disable inbound connections to all other ports. See Adjusting the Firewall for more information -
Update the database configuration file
(/opt/gpudb/core/etc/gpudb.conf) for the following:
-
Update the following settings, using the
table below as a guide:
-
Optionally, update the
http_allow_originsetting. The default value for this setting (*) allows access from all domains. This setting controls which domains outside of your Kinetica cluster that can access the database, e.g., if you only wanted to allow access to the database fromhttp://myapp.com, update the setting tohttp_allow_origin = http://myapp.com(comma-separated for multiple domains)
-
Update the following settings, using the
table below as a guide:
Authentication/Authorization Scenarios
HTTPD
This section outlines how to configure the database to use the packaged Apache HTTPD proxy solution.Database Configuration
In /opt/gpudb/core/etc/gpudb.conf:-
Update the following setting to
trueto enable an HTTPD proxy:
Verification
-
Restart host manager and the database using:
-
Run a Host Manager status check:
-
Verify the output shows HTTPD is running:
-
Ensure HTTPD is working:
-
Ensure Kinetica is running properly:
HTTPD + SSL
This section outlines how to configure the database to use the packaged Apache HTTPD proxy solution with SSL.General Configuration
- Ensure a valid SSL key and certificate have been created. It is recommended you create them in /opt/gpudb/certs
-
Ensure the SSL certificate has been added to OpenSSL’s trust store:
-
Import an SSL certificate into a Java truststore using the following
command:
Database Configuration
In /opt/gpudb/core/etc/gpudb.conf:-
Update the following setting to
trueto enable an HTTPD proxy: -
Update the following setting to
trueto force HTTPD to use HTTPS:
HTTPD “Data” Configuration
-
Navigate to /opt/gpudb/httpd/conf/data.conf and uncomment the
following settings, ensuring you replace the SSLCertificateFile
and SSLCertificateKeyFile setting values with the proper file
paths. Read the Apache HTTPD
SSL Docs for more
information
The following settings are optional but provide greater security.
Depending on what version of OpenSSL is installed on the
system, the
TLS version should be updated. Note that
TLS version 1.1 is being retired after the first part of 2020.
The SSLCipherSuite setting can also be upgraded, e.g.,
SSLCipherSuite HIGH:!aNULL:!MD5:HTTPD “NoAuth” Configuration
-
Navigate to /opt/gpudb/httpd/conf/noauth.conf and uncomment the
following settings, ensuring you replace the SSLCertificateFile
and SSLCertificateKeyFile setting values with the proper file
paths. Read the Apache HTTPD
SSL Docs for more
information
The following settings are optional but provide greater security.
Depending on what version of OpenSSL is installed on the
system, the
TLS version should be updated. Note that
TLS version 1.1 is being retired after the first part of 2020.
The SSLCipherSuite setting can also be upgraded, e.g.,
SSLCipherSuite HIGH:!aNULL:!MD5:Kinetica Components Configuration
Reveal
-
Navigate to /opt/gpudb/connectors/reveal/etc/default.json and
update the
urlsetting:
GAdmin
-
Navigate to the /opt/gpudb/tomcat/webapps/gadmin/js/settings.js file
and update the
REVEAL_PORTvariable to the secured Reveal port (default 8444): -
Navigate to the
/opt/gpudb/tomcat/webapps/gadmin/WEB-INF/classes/gaia.properties file
and update the following settings to
https, ensuring the host is correct for your setup -
In the /opt/gpudb/tomcat/conf/catalina.properties file at the bottom:
-
Add the
trustStoresetting value with the proper file path to the keystore: -
Add the trust store password to the file using one of the following
methods:
-
Add the following setting with the plain-text password for an
unencrypted password:
-
Encrypt the password using the
/opt/gpudb/core/bin/gpudb_encrypt.shutility (see Obfuscating Plain-Text Passwords for details), then provide the following setting with the encrypted password value and the file path to thegpudb_decrypt.shscript (located in/opt/gpudb/core/bin/by default):
-
Add the following setting with the plain-text password for an
unencrypted password:
-
Add the
A keystore being added to catalina.properties will
prevent security settings from being overwritten during a
Kinetica upgrade
Verification
-
Restart host manager and the database using:
-
Run a Host Manager status check:
-
Verify the output shows HTTPD is running:
-
Ensure Kinetica is running properly:
-
Verify the output shows Kinetica is running:
-
Login to GAdmin at
https://<hostname>:8443 -
Login to Reveal at
https://<hostname>:8444 -
Login to Workbench at
https://<hostname>:8445
HTTPD + External Authentication
This section outlines how to configure the database to use an external authentication source with the packaged Apache HTTPD proxy solution.Database Configuration
In /opt/gpudb/core/etc/gpudb.conf:-
Update the following setting to
trueto enable an HTTPD proxy: -
Update the following settings to
true:
External Authentication Configuration
External authentication data store integration with Kinetica is accomplished through an Apache HTTPD proxy. This proxy comes packaged with Kinetica and can be found in /opt/gpudb/httpd. Since this portion is controlled by Apache HTTP not Kinetica, see the Apache documentation for further details. External authentication can be configured for Kinetica with or without SSL. Kinetica currently supports the following external authentication sources:See Obfuscating Plain-Text Passwords
for an example of obfuscating the plain-text LDAP/AD password in the HTTPD
configuration file.
For testing purposes, Kinetica is packaged with an OpenLDAP server daemon
(Only run /opt/gpudb/httpd/openldap/openldap-init.sh the
first time the included OpenLDAP instance is started.
slapd) that already includes several sample users. It can be started
& initialized manually, using the commands:LDAP
-
Before making configuration changes, ensure host manager is stopped:
-
Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following
settings, and update them as necessary. Read more about the HTTPD LDAP
settings in the Apache HTTPD LDAP documentation:
If you have groups you want to map to Kinetica roles, edit the
LimitExcepttag, noted above. -
After making configuration changes, start the database:
Microsoft Active Directory
-
Before making configuration changes, ensure host manager is stopped:
-
Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following
settings, and update them as necessary, ensuring you replace any instances of
uidwithsamaccountname:If you have groups you want to map to Kinetica roles, edit theLimitExcepttag, noted above. -
After making configuration changes, start the database:
Kerberos
-
Before making configuration changes, ensure host manager is stopped:
-
Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following
settings, and update them as necessary:
-
Add the following settings below the settings you just uncommented, ensuring
you replace the Kerberos realm and service name as well as the path to the
keytab file with the appropriate values:
-
Navigate to /opt/gpudb/httpd/conf/httpd.conf and add the following
line to the end of the file:
-
After making configuration changes, start the database:
User Management
Once Kinetica is connected to an external authentication source, the external users can be used for all Kinetica administration. First, a user with administrative permissions that can be tied to an external user will need to be created within Kinetica:- Log into Kinetica Administration Application (GAdmin) with an internal Kinetica administration account
- From the Security menu, select Users
- Click the New button
- For Authentication, select External
- Enter an external user’s username, preceded by
@. This marks the user as an externally authenticated user - For System Level Permission, select System Admin
Although external users are created with the username
@<username>,
they will log in with their regular username, without the @.Verification
-
Restart host manager and the database using:
-
Run a Host Manager status check:
-
Verify the output shows HTTPD is running:
-
Ensure HTTPD is working:
-
Ensure Kinetica is running properly:
-
Verify both internal and external users can login to
GAdmin at
http://<hostname>:8080 -
Verify both internal and external users can login to
Reveal at
http://<hostname>:8088 -
Verify both internal and external users can login to
Workbench at
http://<hostname>:8000
HTTPD + SSL + External Authentication
This section outlines how to configure the database to use an external authentication source with the packaged Apache HTTPD proxy solution and SSL.Database Configuration
In /opt/gpudb/core/etc/gpudb.conf:-
Update the following setting to
trueto enable an HTTPD proxy: -
Update the following setting to
true: -
Update the following settings to
true:
HTTPD “Data” Configuration
-
Navigate to /opt/gpudb/httpd/conf/data.conf and uncomment the
following settings, ensuring you replace the SSLCertificateFile
and SSLCertificateKeyFile setting values with the proper file
paths. Read the Apache HTTPD
SSL Docs for more
information
The following settings are optional but provide greater security.
Depending on what version of OpenSSL is installed on the
system, the
TLS version should be updated. Note that
TLS version 1.1 is being retired after the first part of 2020.
The SSLCipherSuite setting can also be upgraded, e.g.,
SSLCipherSuite HIGH:!aNULL:!MD5:HTTPD “NoAuth” Configuration
-
Navigate to /opt/gpudb/httpd/conf/noauth.conf and uncomment the
following settings, ensuring you replace the SSLCertificateFile
and SSLCertificateKeyFile setting values with the proper file
paths. Read the Apache HTTPD
SSL Docs for more
information
The following settings are optional but provide greater security.
Depending on what version of OpenSSL is installed on the
system, the
TLS version should be updated. Note that
TLS version 1.1 is being retired after the first part of 2020.
The SSLCipherSuite setting can also be upgraded, e.g.,
SSLCipherSuite HIGH:!aNULL:!MD5:Kinetica Components Configuration
Reveal
-
Navigate to /opt/gpudb/connectors/reveal/etc/default.json and
update the
urlsetting:
GAdmin
-
Navigate to the /opt/gpudb/tomcat/webapps/gadmin/js/settings.js file
and update the
REVEAL_PORTvariable to the secured Reveal port (default 8444): -
Navigate to the
/opt/gpudb/tomcat/webapps/gadmin/WEB-INF/classes/gaia.properties file
and update the following settings to
https, ensuring the host is correct for your setup -
In the /opt/gpudb/tomcat/conf/catalina.properties file at the bottom:
-
Add the
trustStoresetting value with the proper file path to the keystore: -
Add the trust store password to the file using one of the following
methods:
-
Add the following setting with the plain-text password for an
unencrypted password:
-
Encrypt the password using the
/opt/gpudb/core/bin/gpudb_encrypt.shutility (see Obfuscating Plain-Text Passwords for details), then provide the following setting with the encrypted password value and the file path to thegpudb_decrypt.shscript (located in/opt/gpudb/core/bin/by default):
-
Add the following setting with the plain-text password for an
unencrypted password:
-
Add the
A keystore being added to catalina.properties will
prevent security settings from being overwritten during a
Kinetica upgrade
External Authentication Configuration
External authentication data store integration with Kinetica is accomplished through an Apache HTTPD proxy. This proxy comes packaged with Kinetica and can be found in /opt/gpudb/httpd. Since this portion is controlled by Apache HTTP not Kinetica, see the Apache documentation for further details. External authentication can be configured for Kinetica with or without SSL. Kinetica currently supports the following external authentication sources:See Obfuscating Plain-Text Passwords
for an example of obfuscating the plain-text LDAP/AD password in the HTTPD
configuration file.
For testing purposes, Kinetica is packaged with an OpenLDAP server daemon
(Only run /opt/gpudb/httpd/openldap/openldap-init.sh the
first time the included OpenLDAP instance is started.
slapd) that already includes several sample users. It can be started
& initialized manually, using the commands:LDAP
-
Before making configuration changes, ensure host manager is stopped:
-
Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following
settings, and update them as necessary. Read more about the HTTPD LDAP
settings in the Apache HTTPD LDAP documentation:
If you have groups you want to map to Kinetica roles, edit the
LimitExcepttag, noted above. -
After making configuration changes, start the database:
Microsoft Active Directory
-
Before making configuration changes, ensure host manager is stopped:
-
Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following
settings, and update them as necessary, ensuring you replace any instances of
uidwithsamaccountname:If you have groups you want to map to Kinetica roles, edit theLimitExcepttag, noted above. -
After making configuration changes, start the database:
Kerberos
-
Before making configuration changes, ensure host manager is stopped:
-
Navigate to /opt/gpudb/httpd/conf/data.conf, uncomment the following
settings, and update them as necessary:
-
Add the following settings below the settings you just uncommented, ensuring
you replace the Kerberos realm and service name as well as the path to the
keytab file with the appropriate values:
-
Navigate to /opt/gpudb/httpd/conf/httpd.conf and add the following
line to the end of the file:
-
After making configuration changes, start the database:
User Management
Once Kinetica is connected to an external authentication source, the external users can be used for all Kinetica administration. First, a user with administrative permissions that can be tied to an external user will need to be created within Kinetica:- Log into Kinetica Administration Application (GAdmin) with an internal Kinetica administration account
- From the Security menu, select Users
- Click the New button
- For Authentication, select External
- Enter an external user’s username, preceded by
@. This marks the user as an externally authenticated user - For System Level Permission, select System Admin
Although external users are created with the username
@<username>,
they will log in with their regular username, without the @.Verification
-
Restart host manager and the database using:
-
Run a Host Manager status check:
-
Verify the output shows HTTPD is running:
-
Ensure Kinetica is running properly:
-
Verify the output shows Kinetica is running:
-
Verify both internal and external users can login to
GAdmin at
https://<hostname>:8443 -
Verify both internal and external users can login to
Reveal at
https://<hostname>:8444 -
Verify both internal and external users can login to
Workbench at
http://<hostname>:8445