TLS Certificates
Danger
The certificates generated in this guide should only be used for proof-of-concept or testing deployments. These certificates should not be used in production.
Audience: System Administrators
Content Summary: If you do not have TLS certificates available for your Immuta hostnames, you can use this guide to generate a Certificate Authority and corresponding certificates for the Immuta Metadata database, Query Engine, and Web Service.
Note: These certificates should not be considered a secure replacement for certificates signed by a trusted Certificate Authority, and therefore should not be used in a production deployment of Immuta. These certificates should only be used for proof-of-concept deployments if certificates signed by a trusted CA are not available.
Generate TLS Certificates
The commands below are meant to be run on each node of the Immuta instance.
-
Export the variables below.
export IMMUTA_HOSTNAME=`hostname` export IMMUTA_HOME=/etc/immuta
-
Run the commands below. Note that
openssl
is required.OUT_DIR="${IMMUTA_HOME}/tls" mkdir -p "${OUT_DIR}" openssl req -new -sha256 -nodes -days 1024 -newkey rsa:2048 -x509 \ -out "${OUT_DIR}/immuta-ca.crt" -keyout "${OUT_DIR}/immuta-ca.key" \ -config <( cat <<-EOF [req] prompt = no extensions = req_ext distinguished_name = dn [dn] C=US ST=Maryland L=College Park O=Immuta OU=Immuta Deployment CN = Immuta CA for RPM Deployments [req_ext] basicConstraints = CA:TRUE keyUsage = digitalSignature, keyEncipherment EOF ) openssl req -new -sha256 -nodes -newkey rsa:2048 \ -out "${OUT_DIR}/immuta.csr" -keyout "${OUT_DIR}/immuta.key" \ -config <( cat <<-EOF [req] prompt = no distinguished_name = dn [dn] C=US ST=Maryland L=College Park O=Immuta OU=Immuta Deployment CN = ${IMMUTA_HOSTNAME} EOF ) openssl x509 -req -in "${OUT_DIR}/immuta.csr" -CA "${OUT_DIR}/immuta-ca.crt" \ -CAkey "${OUT_DIR}/immuta-ca.key" \ -CAserial "${OUT_DIR}/immuta-ca.srl" \ -CAcreateserial \ -out "${OUT_DIR}/immuta.crt" \ -days 1024 -sha256 \ -extfile <(cat <<-EOF basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @san [san] DNS.1 = ${IMMUTA_HOSTNAME} EOF )
Note: By default this CA and certificate will be valid for 3 years. To increase
or decrease the validity period, change all occurrences of 1024
.
If you have certificates that are valid for IMMUTA_HOSTNAME
and are signed
by a Certificate Authority that your users trust, copy the certificate and key
into the correct place for the external certificates.