Configure Greenplum Chorus with an SSL certificate.

Greenplum recommends that you configure Greenplum Chorus with an SSL certificate. There are several ways to do this, including setting up a web server in front

of Chorus, or installing the certificate on the load balancer.

To generate an SSL certificate with OpenSSL

Note: If you are using a self-signed certificate, your browser will prompt you with an untrusted SSL certificate warning

1. Generate an RSA private key

openssl genrsa -des3 -out server.key 1024

Use anything for your password that you will remember later.

2. Generate a Certificate Signing Request (CSR)

openssl req -new -key server.key -out server.csr

Respond to the questions as shown in the examples:

What is your first and last name?

[Unknown]:

chorus-ga.greenplum.com

Note: Enter the URL for Greenplum Chorus.

What is the name of your organizational unit?

[Unknown]:

Data and Insights

What is the name of your organization?

[Unknown]:

Greenplum

What is the name of your City or Locality?

[Unknown]:

San Mateo

What is the name of your State or Province?

[Unknown]:

California

What is the two-letter country code for this unit?

[Unknown]:

US

Is CN=chorus-ga.greenplum.com, OU=Data and Insights,

O=Greenplum, L=San Mateo, ST=California, C=US correct?

[no]:

yes

Enter key password for <chorus>

(RETURN if same as keystore password.)

3. Remove Passphrase from Key

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

Without this step you will need to type the password you created in Step 1 each time you start Chorus.

4. Generate a self-signed certificate from the CSR

Note: If you want an official SSL certificate (Greenplum recommended), submit this CSR to a signing authority such as Thawte or Verisign and continue to Step 5

when you have the certificate (.crt) file.

openssl x509 -req -days 365 -in server.csr -signkey

server.key -out server.crt

5. Install the Private Key and Certificate into Chorus 

Configure chorus.properties to point to the locations of your private key and certificate files:

ssl.enabled= true

ssl_server_port= 8443

ssl_certificate=

/usr/local/greenplum-chorus/current/config/test.crt

ssl_certificate_key=

/usr/local/greenplum-chorus/current/config/test.key

Restart Chorus to apply the configuration.

Note: To run Chorus on port 443 (the default ssl port e.g. https://:443), Greenplum recommends that you set up a Web server proxy to Chorus.