Enabling TLS for Dremio UI on Azure
This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.
In Dremio 24+, the keyStorePassword
property can be encrypted using the dremio-admin encrypt
CLI command.
To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:
- Self-signed certificate
- CA-certified certificate
Enabling TLS with a Self-Signed Certificate
To enable TLS with a self-signed certificate:
Go to Resource groups > YourResourceName > Overview.
Click on <DremioClusterName>-master.
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
.Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.
SSH to the Azure IP addressssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
Password:
$ sudo su -Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.
Add properties to /opt/dremio/conf/dremio.conf fileservices.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: trueRestart the Dremio service. See Start, Stop, and Status for RPM commands.
Restart Dremio serviceservice dremio restart
Log into the Dremio UI:
Log in to Dremio UIhttps://<dremio master DNS name>:9047
Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).
Enabling TLS with a CA-certified Certificate
To enable TLS with a CA-certified certificate:
Go to Resource groups > YourResourceName > Overview.
Click on <DremioClusterName>-master.
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
.Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.
SSH to Azure IP addressssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
Password:
sudo su -Obtain a TLS certificate for your DNS Name. For example, if you are using Let's Encrypt, install certbot, and generate the certificate.
The FQDN is set to the DNS name for the master node obtained in a previous step.
Make note of the last command output for the cert and cert key files.
Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
Install certbot and generate certificateFQDN=<DNS name of the host>
curl https://dl.eff.org/certbot-auto -o certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
Create a keystore for Dremio. For example, the following example uses the output from the previous step.
Create keystore for DremioPASSWORD=yourpassword
LETSENCRYPT_BASE=/etc/letsencrypt/live
DREMIO_DATA_DIR=/var/lib/dremio
openssl pkcs12 -export \
-inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
-in $LETSENCRYPT_BASE/$FQDN/cert.pem \
-out $DREMIO_DATA_DIR/store.pkcs12 \
-passout pass:$PASSWORD
chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file. The keystore path and password were generated by the previous step. If you supplied a different keystore path and password, be sure to provide them instead.
Properties to add to /opt/dremio/conf/dremio.conf fileservices.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false
services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
services.coordinator.web.ssl.keyStorePassword: "yourpassword"Restart the Dremio service. See Start, Stop, and Status for RPM commands.
Restart Dremio serviceservice dremio restart
Log into the Dremio UI:
Log in to Dremio UIhttps://<dremio master DNS name>:9047