Greenplum recommends that you configure Greenplum Chorus with an SSL certificate. There are several ways to do this, including setting up a web server in front
of Chorus, or installing the certificate on the load balancer.
To generate an SSL certificate with OpenSSL
Note: If you are using a self-signed certificate, your browser will prompt you with an untrusted SSL certificate warning
1. Generate an RSA private key
openssl genrsa -des3 -out server.key 1024
Use anything for your password that you will remember later.
2. Generate a Certificate Signing Request (CSR)
openssl req -new -key server.key -out server.csr
Respond to the questions as shown in the examples:
What is your first and last name?
Note: Enter the URL for Greenplum Chorus.
What is the name of your organizational unit?
Data and Insights
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=chorus-ga.greenplum.com, OU=Data and Insights,
O=Greenplum, L=San Mateo, ST=California, C=US correct?
Enter key password for <chorus>
(RETURN if same as keystore password.)
3. Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Without this step you will need to type the password you created in Step 1 each time you start Chorus.
4. Generate a self-signed certificate from the CSR
Note: If you want an official SSL certificate (Greenplum recommended), submit this CSR to a signing authority such as Thawte or Verisign and continue to Step 5
when you have the certificate (.crt) file.
openssl x509 -req -days 365 -in server.csr -signkey
server.key -out server.crt
5. Install the Private Key and Certificate into Chorus
Configure chorus.properties to point to the locations of your private key and certificate files:
Restart Chorus to apply the configuration.
Note: To run Chorus on port 443 (the default ssl port e.g. https://:443), Greenplum recommends that you set up a Web server proxy to Chorus.