Welcome to Dremio Cloud Documentation - Dremio > > >

Enabling TLS for Dremio UI on Azure

This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.

note:

In Dremio 24+, the keyStorePassword property can be encrypted using the dremio-admin encrypt CLI command.

To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:

Self-signed certificate
CA-certified certificate

Enabling TLS with a Self-Signed Certificate

To enable TLS with a self-signed certificate:

Go to Resource groups > YourResourceName > Overview.
Click on <DremioClusterName>-master.
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.
Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.
SSH to the Azure IP address
```
ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
Password:
$ sudo su -
```
Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.
Add properties to /opt/dremio/conf/dremio.conf file
```
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: true
```
Restart the Dremio service. See Start, Stop, and Status for RPM commands.
Restart Dremio service
```
service dremio restart
```
Log into the Dremio UI:
Log in to Dremio UI
```
https://<dremio master DNS name>:9047
```

note:

Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).

Enabling TLS with a CA-certified Certificate

To enable TLS with a CA-certified certificate:

Go to Resource groups > YourResourceName > Overview.
Click on <DremioClusterName>-master.
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.
Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.
SSH to Azure IP address
```
ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
Password:
sudo su -
```
Obtain a TLS certificate for your DNS Name. For example, if you are using Let’s Encrypt, install certbot, and generate the certificate.
- The FQDN is set to the DNS name for the master node obtained in a previous step.
- Make note of the last command output for the cert and cert key files.
- Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
Install certbot and generate certificate
```
FQDN=<DNS name of the host>
curl  https://dl.eff.org/certbot-auto -o certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
```

Create a keystore for Dremio. For example, the following example uses the output from the previous step.

Create keystore for Dremio

PASSWORD=yourpassword
LETSENCRYPT_BASE=/etc/letsencrypt/live
DREMIO_DATA_DIR=/var/lib/dremio
openssl pkcs12 -export \
    -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
    -in $LETSENCRYPT_BASE/$FQDN/cert.pem \
    -out $DREMIO_DATA_DIR/store.pkcs12 \
    -passout pass:$PASSWORD
chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12

Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.
- Note that the keystore path and password were generated by the previous step.
- If you supplied a different keystore path and password, be sure to provide them instead.
Properties to add to /opt/dremio/conf/dremio.conf file
```
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false
services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
services.coordinator.web.ssl.keyStorePassword: "yourpassword"
```
Restart the Dremio service. See Start, Stop, and Status for RPM commands.
Restart Dremio service
```
service dremio restart
```
Log into the Dremio UI:
Log in to Dremio UI
```
https://<dremio master DNS name>:9047
```

Was this page helpful?

Glad to hear it! Thank you for your feedback. Sorry to hear that. Thank you for your feedback.