Enabling TLS for Dremio UI on Azure
This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.
To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:
- Self-signed certificate
- CA-certified certificate
Enabling TLS with a Self-Signed Certificate
To enable TLS with a self-signed certificate:
- Go to Resource groups > YourResourceName > Overview.
- Click on <DremioClusterName>-master.
- Locate the DNS name for the master node.
In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
.

- Access the Dremio cluster master node on Azure via the DNS name and become root.
For example, using a terminal window, SSH to the Azure IP address with the username and password
that you provided during the initial configuration.
$ ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
Password:
$ sudo su -
- Configure Dremio by editing the /etc/system/dremio.conf file and
adding the following properties to the end of the file.
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: true
- Restart the Dremio service. See Start, Stop, and Status for RPM commands.
For example:
service dremio restart
- Log into the Dremio UI:
https://<dremio master DNS name>:9047
Note: Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).
Enabling TLS with a CA-certified Certificate
To enable TLS with a CA-certified certificate:
- Go to Resource groups > YourResourceName > Overview.
- Click on <DremioClusterName>-master.
- Locate the DNS name for the master node.
In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
.

- Access the Dremio cluster master node on Azure via the DNS name and become root.
For example, using a terminal window, SSH to the Azure IP address with the username and password
that you provided during the initial configuration.
$ ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
Password:
$ sudo su -
- Obtain a TLS certificate for your DNS Name.
For example, if you are using Let’s Encrypt,
install certbot, and generate the certificate.
- The FQDN is set to the DNS name for the master node obtained in a previous step.
- Make note of the last command output for the cert and cert key files.
- Note: This certificate is valid for 90 days and must be renewed.
After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
FQDN=<DNS name of the host>
curl https://dl.eff.org/certbot-auto -o certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
- Create a keystore for Dremio.
For example, the following example uses the output from the previous step.
PASSWORD=yourpassword
LETSENCRYPT_BASE=/etc/letsencrypt/live
DREMIO_DATA_DIR=/var/lib/dremio
openssl pkcs12 -export \
-inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
-in $LETSENCRYPT_BASE/$FQDN/cert.pem \
-out $DREMIO_DATA_DIR/store.pkcs12 \
-passout pass:$PASSWORD
chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12
- Configure Dremio by editing the /etc/dremio/dremio.conf file and
adding the following properties to the end of the file.
- Note that the keystore path and password were generated by the previous step.
- If you supplied a different keystore path and password, be sure to provide them instead.
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false
services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
services.coordinator.web.ssl.keyStorePassword: "yourpassword"
- Restart the Dremio service. See Start, Stop, and Status for RPM commands.
For example:
service dremio restart
- Log into the Dremio UI:
https://<dremio master DNS name>:9047