Enabling TLS for Dremio UI on Azure
This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.
To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:
- Self-signed certificate
- CA-certified certificate
Enabling TLS with a Self-Signed Certificate
To enable TLS with a self-signed certificate:
- Go to Resource groups > YourResourceName > Overview.
- Click on <DremioClusterName>-master.
- Locate the DNS name for the master node.
In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.
- Access the Dremio cluster master node on Azure via the DNS name and become root.
For example, using a terminal window, SSH to the Azure IP address with the username and password
that you provided during the initial configuration.
$ ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com Password: $ sudo su - - Configure Dremio by editing the /etc/system/dremio.conf file and
adding the following properties to the end of the file.
services.coordinator.web.ssl.enabled: true services.coordinator.web.ssl.auto-certificate.enabled: true - Restart the Dremio service. See Start, Stop, and Status for RPM commands.
For example:
service dremio restart - Log into the Dremio UI:
https://<dremio master DNS name>:9047
Note: Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).
Enabling TLS with a CA-certified Certificate
To enable TLS with a CA-certified certificate:
- Go to Resource groups > YourResourceName > Overview.
- Click on <DremioClusterName>-master.
- Locate the DNS name for the master node.
In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.
- Access the Dremio cluster master node on Azure via the DNS name and become root.
For example, using a terminal window, SSH to the Azure IP address with the username and password
that you provided during the initial configuration.
$ ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com Password: $ sudo su - - Obtain a TLS certificate for your DNS Name.
For example, if you are using Let’s Encrypt,
install certbot, and generate the certificate.
- The FQDN is set to the DNS name for the master node obtained in a previous step.
- Make note of the last command output for the cert and cert key files.
- Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
FQDN=<DNS name of the host> curl https://dl.eff.org/certbot-auto -o certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chown root /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com - Create a keystore for Dremio.
For example, the following example uses the output from the previous step.
PASSWORD=yourpassword LETSENCRYPT_BASE=/etc/letsencrypt/live DREMIO_DATA_DIR=/var/lib/dremio openssl pkcs12 -export \ -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \ -in $LETSENCRYPT_BASE/$FQDN/cert.pem \ -out $DREMIO_DATA_DIR/store.pkcs12 \ -passout pass:$PASSWORD chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12 - Configure Dremio by editing the /etc/dremio/dremio.conf file and
adding the following properties to the end of the file.
- Note that the keystore path and password were generated by the previous step.
- If you supplied a different keystore path and password, be sure to provide them instead.
services.coordinator.web.ssl.enabled: true services.coordinator.web.ssl.auto-certificate.enabled: false services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12" services.coordinator.web.ssl.keyStorePassword: "yourpassword" - Restart the Dremio service. See Start, Stop, and Status for RPM commands.
For example:
service dremio restart - Log into the Dremio UI:
https://<dremio master DNS name>:9047
Previous:
Next: