Enabling TLS for Dremio UI on AWS
This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Amazon AWS Cloudformation.
To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:
- Self-signed certificate
- CA-certified certificate
Enabling TLS with a Self-Signed Certificate
To enable TLS with a self-signed certificate:
- From CloudFormation, select your Stack.
- Click on the Resources tab.
- Click on <DremioClusterName>-DremioMaster.
- Locate the DNS name for the master node.
In the following sample screenshot, the DNS name is
ec2-18-188-87-153.us-east-2.compute.amazonaws.com. - Access the Dremio cluster master node on AWS via the DNS name and become root.
For example, using a terminal window, SSH to the AWS IP address
with the keypair that you used during stack creation.
$ ssh -i <path_to_your_private_key> centos@ec2-18-188-87-153.us-east-2.compute.amazonaws.com $ sudo su - - Configure Dremio by editing the /etc/system/dremio.conf file and
adding the following properties to the end of the file.
services.coordinator.web.ssl.enabled: true services.coordinator.web.ssl.auto-certificate.enabled: true - Restart the Dremio service. See Start, Stop, and Status for RPM commands.
For example:
service dremio restart - Log into the Dremio UI:
https://<dremio master DNS name>:9047
Note:
Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).
Enabling TLS with a CA-certified Certificate
To enable TLS with a CA-certified certificate:
From CloudFormation, select your Stack.
Click on the Resources tab.
Click on <DremioClusterName>-DremioMaster.
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
ec2-18-188-87-153.us-east-2.compute.amazonaws.com.Access the Dremio cluster master node on AWS via the DNS name and become root. For example, using a terminal window, SSH to the AWS IP address with the keypair that you used during stack creation.
$ ssh -i <path_to_your_private_key> centos@ec2-18-188-87-153.us-east-2.compute.amazonaws.com $ sudo su -Obtain a TLS certificate for your DNS Name. For example, if you are using Let’s Encrypt, install certbot, and generate the certificate.
- The FQDN is set to the DNS name for the master node obtained in a previous step.
- Make note of the last command output for the cert and cert key files.
- Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
FQDN=<DNS name of the host> curl https://dl.eff.org/certbot-auto -o certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chown root /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.comCreate a keystore for Dremio. For example, the following example uses the output from the previous step.
PASSWORD=yourpassword LETSENCRYPT_BASE=/etc/letsencrypt/live DREMIO_DATA_DIR=/var/lib/dremio openssl pkcs12 -export \ -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \ -in $LETSENCRYPT_BASE/$FQDN/cert.pem \ -out $DREMIO_DATA_DIR/store.pkcs12 \ -passout pass:$PASSWORD chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12Configure Dremio by editing the /etc/dremio/dremio.conf file and adding the following properties to the end of the file.
- Note that the keystore path and password were generated by the previous step.
- If you supplied a different keystore path and password, be sure to provide them instead.
services.coordinator.web.ssl.enabled: true services.coordinator.web.ssl.auto-certificate.enabled: false services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12" services.coordinator.web.ssl.keyStorePassword: "yourpassword"Restart the Dremio service. See Start, Stop, and Status for RPM commands. For example:
service dremio restartLog into the Dremio UI:
https://<dremio master DNS name>:9047