SSL termination at the server is required for deployments that do not include a load balancer. In this type of configuration, the server runs on a single node and receives queries directly from client applications. To establish trust between clients and the server, the Hybrid Data Pipeline server requires the full certificate chain, including the private and public keys of the SSL certificate, any intermediate certificates, and the root certificate. By default, a self-signed certificate is used for deployments. The self-signed certificate simplifies deployment and may be used for testing purposes. However, for a production environment, a PEM file with the full certificate chain should be specified to enable SSL.

Important: When TLS/SSL is enabled for communication between an ODBC client application and Hybrid Data Pipeline, the server certificate must be encrypted with an OpenSSL 3.5-compliant cryptographic algorithm.

Docker deployment

For a Docker deployment, you specify the full path of the PEM file with the HDP_NODE_CERT_FILE property. This property may be specified in the hdpdeploy.properties file, or it may be specified as an environment variable in the docker run command. If nothing is specified, the self-signed certificate is used. See Deploying Hybrid Data Pipeline using Docker for details.

Linux installation

When installing the server on a Linux host, you specify the self-signed certificate or the PEM file during installation. See Installing the Hybrid Data Pipeline server for details.

Note: For improved security on a non-load balancer, single-node Linux installation, you may disable HTTP ports by running the disable_http.sh script to disable HTTP ports. See Disabling HTTP ports for details.

Component installation

For ODBC, JDBC, and on-premises connectivity, you will need to install the ODBC driver, JDBC driver, and On-Premises Connector. In addition, for ODBC or JDBC connectivity, you must configure your application to use the ODBC or JDBC driver. See Installing the Hybrid Data Pipeline Driver for ODBC, Installing the Hybrid Data Pipeline Driver for JDBC, and Installing the Hybrid Data Pipeline On-Premises Connector for details.

The ODBC driver, JDBC driver, and On-Premises Connector need only the root certificate to verify the trust of the server certificate supplied during the SSL handshake. During installation or deployment of the server, the required certificate files are written to the redist directory. These and other files in the redist directory must be used in the installation of the ODBC driver, JDBC driver, and On-Premises Connector. For a non-Docker, non-load balancer deployment, these files are written to the Hybrid Data Pipeline installation directory <install_dir>/redist. For a Docker deployment, these files are written to the redist directory of the shared file location.

OData application configuration

OData connectivity is handled by an OData layer within Hybrid Data Pipeline, and therefore does not require the use of a separate component. However, you may need to configure your OData application for SSL.

If you are using a well-known certificate, the root CA certificate will be used to validate the server certificate. In this scenario, it is unlikely any special configuration will be required.

If you are using a less-well-known certificate, you will need to configure your OData application to use the ddcloud.pem certificate file written to the redist directory during deployment of the Hybrid Data Pipeline server. For a non-Docker, non-load balancer deployment, the ddcloud.pem file is written to the Hybrid Data Pipeline installation directory <install_dir>/redist. For a Docker deployment, the ddcloud.pem file is written to the redist directory of the shared file location.