On this page

    Enabling TLS for Dremio UI on Azure

    This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Azure.

    note:

    In Dremio 24+, the keyStorePassword property can be encrypted using the dremio-admin encrypt CLI command.

    To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:

    • Self-signed certificate
    • CA-certified certificate

    Enabling TLS with a Self-Signed Certificate

    To enable TLS with a self-signed certificate:

    1. Go to Resource groups > YourResourceName > Overview.

    2. Click on <DremioClusterName>-master.

    3. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
      dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.

    4. Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.

      SSH to the Azure IP address
      ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
      Password:
      $ sudo su -
      
    5. Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.

      Add properties to /opt/dremio/conf/dremio.conf file
      services.coordinator.web.ssl.enabled: true
      services.coordinator.web.ssl.auto-certificate.enabled: true
      
    6. Restart the Dremio service. See Start, Stop, and Status for RPM commands.

      Restart Dremio service
      service dremio restart
      
    7. Log into the Dremio UI:

      Log in to Dremio UI
      https://<dremio master DNS name>:9047
      

    note:

    Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).

    Enabling TLS with a CA-certified Certificate

    To enable TLS with a CA-certified certificate:

    1. Go to Resource groups > YourResourceName > Overview.

    2. Click on <DremioClusterName>-master.

    3. Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
      dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com.

    4. Access the Dremio cluster master node on Azure via the DNS name and become root. For example, using a terminal window, SSH to the Azure IP address with the username and password that you provided during the initial configuration.

      SSH to Azure IP address
      ssh azuser@dremio-master-3kwnfmvg62gfe.westus2.cloudapp.azure.com
      Password:
      sudo su -
      
    5. Obtain a TLS certificate for your DNS Name. For example, if you are using Let’s Encrypt, install certbot, and generate the certificate.

      • The FQDN is set to the DNS name for the master node obtained in a previous step.
      • Make note of the last command output for the cert and cert key files.
      • Note: This certificate is valid for 90 days and must be renewed. After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
      Install certbot and generate certificate
      FQDN=<DNS name of the host>
      curl  https://dl.eff.org/certbot-auto -o certbot-auto
      mv certbot-auto /usr/local/bin/certbot-auto
      chown root /usr/local/bin/certbot-auto
      chmod 0755 /usr/local/bin/certbot-auto
      certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
      
    6. Create a keystore for Dremio. For example, the following example uses the output from the previous step.

      Create keystore for Dremio
      PASSWORD=yourpassword
      LETSENCRYPT_BASE=/etc/letsencrypt/live
      DREMIO_DATA_DIR=/var/lib/dremio
      openssl pkcs12 -export \
          -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
          -in $LETSENCRYPT_BASE/$FQDN/cert.pem \
          -out $DREMIO_DATA_DIR/store.pkcs12 \
          -passout pass:$PASSWORD
      chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12
      
    7. Configure Dremio by editing the /opt/dremio/conf/dremio.conf file and adding the following properties to the end of the file.

      • Note that the keystore path and password were generated by the previous step.
      • If you supplied a different keystore path and password, be sure to provide them instead.
      Properties to add to /opt/dremio/conf/dremio.conf file
      services.coordinator.web.ssl.enabled: true
      services.coordinator.web.ssl.auto-certificate.enabled: false
      services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
      services.coordinator.web.ssl.keyStorePassword: "yourpassword"
      
    8. Restart the Dremio service. See Start, Stop, and Status for RPM commands.

      Restart Dremio service
      service dremio restart
      
    9. Log into the Dremio UI:

      Log in to Dremio UI
      https://<dremio master DNS name>:9047