Enabling TLS for Dremio UI on AWS

This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Amazon AWS Cloudformation.

To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:

  • Self-signed certificate
  • CA-certified certificate

Enabling TLS with a Self-Signed Certificate

To enable TLS with a self-signed certificate:

  1. From CloudFormation, select your Stack.
  2. Click on the Resources tab.
  3. Click on <DremioClusterName>-DremioMaster.
  4. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
    ec2-18-188-87-153.us-east-2.compute.amazonaws.com.
    AWS Master DNS Name
  5. Access the Dremio cluster master node on AWS via the DNS name and become root. For example, using a terminal window, SSH to the AWS IP address with the keypair that you used during stack creation.
     $ ssh -i <path_to_your_private_key> centos@ec2-18-188-87-153.us-east-2.compute.amazonaws.com
     $ sudo su -
    
  6. Configure Dremio by editing the /etc/system/dremio.conf file and adding the following properties to the end of the file.
     services.coordinator.web.ssl.enabled: true
     services.coordinator.web.ssl.auto-certificate.enabled: true
    
  7. Restart the Dremio service. See Start, Stop, and Status for RPM commands. For example:
    service dremio restart
  8. Log into the Dremio UI:
    https://<dremio master DNS name>:9047

[info] Note: Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).

Enabling TLS with a CA-certified Certificate

To enable TLS with a CA-certified certificate:

  1. From CloudFormation, select your Stack.
  2. Click on the Resources tab.
  3. Click on <DremioClusterName>-DremioMaster.
  4. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
    ec2-18-188-87-153.us-east-2.compute.amazonaws.com.
    AWS Master DNS Name
  5. Access the Dremio cluster master node on AWS via the DNS name and become root. For example, using a terminal window, SSH to the AWS IP address with the keypair that you used during stack creation.
     $ ssh -i <path_to_your_private_key> centos@ec2-18-188-87-153.us-east-2.compute.amazonaws.com
     $ sudo su -
    
  6. Obtain a TLS certificate for your DNS Name. For example, if you are using Let's Encrypt, install certbot, and generate the certificate.

    • The FQDN is set to the DNS name for the master node obtained in a previous step.
    • Make note of the last command output for the cert and cert key files.
    • Note: This certificate is valid for 90 days and must be renewed.
         After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
      
      FQDN=<DNS name of the host>
      curl  https://dl.eff.org/certbot-auto -o certbot-auto
      mv certbot-auto /usr/local/bin/certbot-auto
      chown root /usr/local/bin/certbot-auto
      chmod 0755 /usr/local/bin/certbot-auto
      certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
      
  7. Create a keystore for Dremio. For example, the following example uses the output from the previous step.

     PASSWORD=yourpassword
     LETSENCRYPT_BASE=/etc/letsencrypt/live
     DREMIO_DATA_DIR=/var/lib/dremio
     openssl pkcs12 -export \
         -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
         -in $LETSENCRYPT_BASE/$FQDN/cert.pem \
         -out $DREMIO_DATA_DIR/store.pkcs12 \
         -passout pass:$PASSWORD 
     chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12
    
  8. Configure Dremio by editing the /etc/dremio/dremio.conf file and adding the following properties to the end of the file.
    • Note that the keystore path and password were generated by the previous step.
    • If you supplied a different keystore path and password, be sure to provide them instead.
      services.coordinator.web.ssl.enabled: true
      services.coordinator.web.ssl.auto-certificate.enabled: false
      services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
      services.coordinator.web.ssl.keyStorePassword: "yourpassword"
      
  9. Restart the Dremio service. See Start, Stop, and Status for RPM commands. For example:
    service dremio restart
  10. Log into the Dremio UI:
    https://<dremio master DNS name>:9047

results matching ""

    No results matching ""