Enabling TLS for Dremio UI on Azure

This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.

To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:

• Self-signed certificate
• CA-certified certificate

Enabling TLS with a Self-Signed Certificate

To enable TLS with a self-signed certificate:

1. Go to Resource groups > YourResourceName > Overview.
2. Click on <DremioClusterName>-master.
3. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
   dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.
4. Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.

   $ ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
   Password:
   $ sudo su -
   

5. Configure Dremio by editing the /etc/system/dremio.conf file and adding the following properties to the end of the file.

   services.coordinator.web.ssl.enabled: true
   services.coordinator.web.ssl.auto-certificate.enabled: true
   

6. Restart the Dremio service. See Start, Stop, and Status for RPM commands. For example:
   service dremio restart
7. Log into the Dremio UI:
   https://<dremio master DNS name>:9047

Enabling TLS with a CA-certified Certificate

To enable TLS with a CA-certified certificate:

1. Go to Resource groups > YourResourceName > Overview.
2. Click on <DremioClusterName>-master.
3. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
   dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.
4. Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.

   $ ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
   Password:
   $ sudo su -
   

5. Obtain a TLS certificate for your DNS Name. For example, if you are using Let’s Encrypt, install certbot, and generate the certificate.
   • The FQDN is set to the DNS name for the master node obtained in a previous step.
   • Make note of the last command output for the cert and cert key files.
   • Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.

   FQDN=<DNS name of the host>
   curl  https://dl.eff.org/certbot-auto -o certbot-auto
   mv certbot-auto /usr/local/bin/certbot-auto
   chown root /usr/local/bin/certbot-auto
   chmod 0755 /usr/local/bin/certbot-auto
   certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
   

6. Create a keystore for Dremio. For example, the following example uses the output from the previous step.

   PASSWORD=yourpassword
   LETSENCRYPT_BASE=/etc/letsencrypt/live
   DREMIO_DATA_DIR=/var/lib/dremio
   openssl pkcs12 -export \
       -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
       -in $LETSENCRYPT_BASE/$FQDN/cert.pem \
       -out $DREMIO_DATA_DIR/store.pkcs12 \
       -passout pass:$PASSWORD 
   chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12
   

7. Configure Dremio by editing the /etc/dremio/dremio.conf file and adding the following properties to the end of the file.
   • Note that the keystore path and password were generated by the previous step.
   • If you supplied a different keystore path and password, be sure to provide them instead.

   services.coordinator.web.ssl.enabled: true
   services.coordinator.web.ssl.auto-certificate.enabled: false
   services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
   services.coordinator.web.ssl.keyStorePassword: "yourpassword"
   

8. Restart the Dremio service. See Start, Stop, and Status for RPM commands. For example:
   service dremio restart
9. Log into the Dremio UI:
   https://<dremio master DNS name>:9047