Skip to main content
Version: current [25.0.x]

Enabling TLS for Dremio UI on Azure

This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.

note

In Dremio 24+, the keyStorePassword property can be encrypted using the dremio-admin encrypt CLI command.

To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:

  • Self-signed certificate
  • CA-certified certificate

Enabling TLS with a Self-Signed Certificate

To enable TLS with a self-signed certificate:

  1. Go to Resource groups > YourResourceName > Overview.

  2. Click on <DremioClusterName>-master.

  3. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
    dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.

  4. Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.

    SSH to the Azure IP address
    ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
    Password:
    $ sudo su -

  5. Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.

    Add properties to /opt/dremio/conf/dremio.conf file
    services.coordinator.web.ssl.enabled: true
    services.coordinator.web.ssl.auto-certificate.enabled: true

  6. Restart the Dremio service. See Start, Stop, and Status for RPM commands.

    Restart Dremio service
    service dremio restart

  7. Log into the Dremio UI:

    Log in to Dremio UI
    https://<dremio master DNS name>:9047
note

Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).

Enabling TLS with a CA-certified Certificate

To enable TLS with a CA-certified certificate:

  1. Go to Resource groups > YourResourceName > Overview.

  2. Click on <DremioClusterName>-master.

  3. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
    dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.

  4. Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.

    SSH to Azure IP address
    ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
    Password:
    sudo su -

  5. Obtain a TLS certificate for your DNS Name. For example, if you are using Let's Encrypt, install certbot, and generate the certificate.

    • The FQDN is set to the DNS name for the master node obtained in a previous step.

    • Make note of the last command output for the cert and cert key files.

    • Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.

      Install certbot and generate certificate
      FQDN=<DNS name of the host>
      curl  https://dl.eff.org/certbot-auto -o certbot-auto
      mv certbot-auto /usr/local/bin/certbot-auto
      chown root /usr/local/bin/certbot-auto
      chmod 0755 /usr/local/bin/certbot-auto
      certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com

  6. Create a keystore for Dremio. For example, the following example uses the output from the previous step.

    Create keystore for Dremio
    PASSWORD=yourpassword
    LETSENCRYPT_BASE=/etc/letsencrypt/live
    DREMIO_DATA_DIR=/var/lib/dremio
    openssl pkcs12 -export \
        -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
        -in $LETSENCRYPT_BASE/$FQDN/cert.pem \
        -out $DREMIO_DATA_DIR/store.pkcs12 \
        -passout pass:$PASSWORD
    chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12

  7. Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file. The keystore path and password were generated by the previous step. If you supplied a different keystore path and password, be sure to provide them instead.

    Properties to add to /opt/dremio/conf/dremio.conf file
    services.coordinator.web.ssl.enabled: true
    services.coordinator.web.ssl.auto-certificate.enabled: false
    services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
    services.coordinator.web.ssl.keyStorePassword: "yourpassword"

  8. Restart the Dremio service. See Start, Stop, and Status for RPM commands.

    Restart Dremio service
    service dremio restart

  9. Log into the Dremio UI:

    Log in to Dremio UI
    https://<dremio master DNS name>:9047