The Hybrid Data Pipeline server and On-Premises Connector use a JRE at runtime. When connecting to a data store secured with a less-well-known certificate, you must import the certificate into the truststore of the JRE used at runtime.

The location of the truststore has changed with build 4.6.1.357 of the server. Therefore, there are separate instructions for importing data store certificates for builds 4.6.1.357 and later, and builds 4.6.1.325 and earlier. See the following sections for step-by-step instructions.

Importing certificates into the Hybrid Data Pipeline server JRE truststore (4.6.1.357 or later)

Before you begin, consider reviewing the certificates in the JRE truststore. To view the certificates in the truststore, navigate to the truststore directory and use the keytool utility to list supported certificates. For example:

JAVA_HOME/bin/keytool -list -v -keystore key_location/ddcloudTrustStore.jks

If you are using a certificate that is not in the truststore, the truststore must be updated in the key location (or shared file location). For a non-load balancer deployment, the default key location may be retained, or a key location may be specified during installation. For a load balancer deployment, a key location must be specified.

  • JRE trustore default location (non-load balancer deployment only): hdp_install_dir/ddcloud/keystore/ddcloudTrustStore.jks, where hdp_install_dir is the Hybrid Data Pipeline installation directory.
  • JRE trustore user-specified location: key_location/ddcloudTrustStore.jks, where key_location is the location of the key location specified by the user during installation.
Important: To enable server-side SSL on Linux deployments, the enable_ssl.sh script must be run. This script rebuilds the truststore from the wildcard node certificate file you provide, and it does not reintegrate manually imported data store certificates. Therefore, if you run the script after importing data store certificates, you must reimport these certificates. You must also reimport data store certificates when updating the Hybrid Data Pipeline SSL server certificate. For more information, see SSL configuration (load balancer) and Updating SSL certificates.

Take the following steps to import an SSL certificate into the Hybrid Data Pipeline server JRE truststore:

  1. From your console, navigate to the JRE trustore directory. For example:
    cd key_location
  2. Use the keytool to import the certificate file. In the following example, the certificate file is in the PEM file format.
    JAVA_HOME/bin/keytool -importcert -file full_path/selfsignedcert.pem
   -keystore key_location/ddcloudTrustStore.jks -storetype JKS -storepass datadirect
    Note: The default password for the JRE truststore included with the Hybrid Data Pipeline server is datadirect.
  3. Restart the Hybrid Data Pipeline service. For cluster deployments, restart the service on each node in the cluster.
    1. Run the stop service script.
      ./install_dir/ddcloud/stop.sh
      Note: Shutting down Hybrid Data Pipeline can take a few minutes. Wait until you see the Shutdown complete message displayed on the console before taking any additional actions.
    2. Run the start service script.
      ./install_dir/ddcloud/start.sh
  4. Test connectivity to the data store by setting up a Hybrid Data Pipeline data source and running a query against it.

Importing certificates into the Hybrid Data Pipeline server JRE truststore (4.6.1.325 or earlier)

Before you begin, consider reviewing the certificates in the JRE truststore. To view the certificates in the truststore, navigate to the truststore directory and use the keytool utility to list supported certificates. For example:

JAVA_HOME/bin/keytool -list -v -keystore hdp_install_dir/jre/lib/security/cacerts

If you are using a certificate that is not in the truststore, the truststore must be updated on any nodes running the server. The location of the truststore depends on whether you are using the embedded JRE or an external JRE.

  • Embedded JRE trustore location: hdp_install_dir/jre/lib/security/cacerts, where hdp_install_dir is the Hybrid Data Pipeline installation directory.
  • External JRE truststore location: jre_install_dir/jre/lib/security/cacerts, where jre_install_dir is the installation directory of the external JRE used by the server.

Take the following steps to import an SSL certificate into the Hybrid Data Pipeline server JRE truststore:

  1. From your console, navigate to the JRE trustore directory. For example:
    cd hdp_install_dir/jre/lib/security
  2. Use the keytool to import the certificate file. In the following example, the certificate file is in the PEM file format.
    JAVA_HOME/bin/keytool -importcert -file full_path/selfsignedcert.pem
   -keystore cacerts -storetype JKS -storepass changeit
    Note: The default password for the JRE truststore embedded with the Hybrid Data Pipeline server is changeit.
  3. Restart the Hybrid Data Pipeline service.
    1. Run the stop service script.
      ./install_dir/ddcloud/stop.sh
      Note: Shutting down Hybrid Data Pipeline can take a few minutes. Wait until you see the Shutdown complete message displayed on the console before taking any additional actions.
    2. Run the start service script.
      ./install_dir/ddcloud/start.sh
  4. Optional. For a cluster deployment behind a load balancer, follow steps 1-3 for each node running the Hybrid Data Pipeline service.
  5. Test connectivity to the data store by setting up a Hybrid Data Pipeline data source and running a query against it.

Importing certificates into the On-Premises Connector JRE truststore

If you are connecting to an on-premises data store with the On-Premises Connector, you must update the truststore of any On-Premises Connector used to connect to the data store. The location of the On-Premises Connector truststore depends on whether you are using the embedded JRE or an external JRE.

  • Embedded JRE trustore location: opc_install_dir\OPDAS\ConfigTool\ddcloudTrustStore.jks, where opc_install_dir is the On-Premises Connector installation directory.
  • External JRE truststore location: jre_install_dir\jre\lib\security\cacerts, where jre_install_dir is the installation directory of the external JRE used by the On-Premises Connector.

Take the following steps to import an SSL certificate into the On-Premises Connector JRE truststore:

  1. From your console, navigate to the JRE trustore directory. For example:
    cd opc_install_dir\OPDAS\ConfigTool\ddcloudTrustStore.jks
  2. Use the keytool to import the certificate file. In the following example, the certificate file is in the PEM file format.
    JAVA_HOME\bin\keytool -importcert -file full_path/selfsignedcert.pem
   -keystore ddcloudTrustStore.jks -storetype JKS
    Note: There is no default password for the JRE embedded with the On-Premises Connector. If you are updating the embedded JRE, press Enter when prompted for the truststore password to continue.
  3. Restart the On-Premises Connector.
    1. Select Stop Services from the Progress DataDirect Hybrid Data Pipeline On-Premises Connector program group.
    2. After the service has stopped, select Start Services from the Progress DataDirect Hybrid Data Pipeline On-Premises Connector program group.
    3. Select Configuration Tool from the Progress DataDirect Hybrid Data Pipeline On-Premises Connector program group.
    4. Select the Status tab and click Test to verify that the On-Premises Connector configuration is correct.
  4. Optional. Follow steps 1-3 for each On-Premises Connector used to connect to the data store.
  5. Test connectivity to the data store by setting up a Hybrid Data Pipeline data source and running a query against it.