Enabling TLS for Dremio UI on Azure
This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.
note:
In Dremio 24+, the keyStorePassword
property can be encrypted using the dremio-admin encrypt
CLI command.
To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:
- Self-signed certificate
- CA-certified certificate
Enabling TLS with a Self-Signed Certificate
To enable TLS with a self-signed certificate:
-
Go to Resource groups > YourResourceName > Overview.
-
Click on <DremioClusterName>-master.
-
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
. -
Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.
SSH to the Azure IP addressssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com Password: $ sudo su -
-
Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.
Add properties to /opt/dremio/conf/dremio.conf fileservices.coordinator.web.ssl.enabled: true services.coordinator.web.ssl.auto-certificate.enabled: true
-
Restart the Dremio service. See Start, Stop, and Status for RPM commands.
Restart Dremio serviceservice dremio restart
-
Log into the Dremio UI:
Log in to Dremio UIhttps://<dremio master DNS name>:9047
note:
Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).
Enabling TLS with a CA-certified Certificate
To enable TLS with a CA-certified certificate:
-
Go to Resource groups > YourResourceName > Overview.
-
Click on <DremioClusterName>-master.
-
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
. -
Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.
SSH to Azure IP addressssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com Password: sudo su -
-
Obtain a TLS certificate for your DNS Name. For example, if you are using Let’s Encrypt, install certbot, and generate the certificate.
- The FQDN is set to the DNS name for the master node obtained in a previous step.
- Make note of the last command output for the cert and cert key files.
- Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
FQDN=<DNS name of the host> curl https://dl.eff.org/certbot-auto -o certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chown root /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
-
Create a keystore for Dremio. For example, the following example uses the output from the previous step.
Create keystore for DremioPASSWORD=yourpassword LETSENCRYPT_BASE=/etc/letsencrypt/live DREMIO_DATA_DIR=/var/lib/dremio openssl pkcs12 -export \ -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \ -in $LETSENCRYPT_BASE/$FQDN/cert.pem \ -out $DREMIO_DATA_DIR/store.pkcs12 \ -passout pass:$PASSWORD chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12
-
Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.
- Note that the keystore path and password were generated by the previous step.
- If you supplied a different keystore path and password, be sure to provide them instead.
services.coordinator.web.ssl.enabled: true services.coordinator.web.ssl.auto-certificate.enabled: false services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12" services.coordinator.web.ssl.keyStorePassword: "yourpassword"
-
Restart the Dremio service. See Start, Stop, and Status for RPM commands.
Restart Dremio serviceservice dremio restart
-
Log into the Dremio UI:
Log in to Dremio UIhttps://<dremio master DNS name>:9047