Configure Greenplum Chorus with an SSL certificate.
Greenplum recommends that you configure Greenplum Chorus with an SSL certificate. There are several ways to do this, including setting up a web server in front
of Chorus, or installing the certificate on the load balancer.
To generate an SSL certificate with OpenSSL
Note: If you are using a self-signed certificate, your browser will prompt you with an untrusted SSL certificate warning
1. Generate an RSA private key
openssl genrsa -des3 -out server.key 1024
Use anything for your password that you will remember later.
2. Generate a Certificate Signing Request (CSR)
openssl req -new -key server.key -out server.csr
Respond to the questions as shown in the examples:
What is your first and last name?
[Unknown]:
chorus-ga.greenplum.com
Note: Enter the URL for Greenplum Chorus.
What is the name of your organizational unit?
[Unknown]:
Data and Insights
What is the name of your organization?
[Unknown]:
Greenplum
What is the name of your City or Locality?
[Unknown]:
San Mateo
What is the name of your State or Province?
[Unknown]:
California
What is the two-letter country code for this unit?
[Unknown]:
US
Is CN=chorus-ga.greenplum.com, OU=Data and Insights,
O=Greenplum, L=San Mateo, ST=California, C=US correct?
[no]:
yes
Enter key password for <chorus>
(RETURN if same as keystore password.)
3. Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Without this step you will need to type the password you created in Step 1 each time you start Chorus.
4. Generate a self-signed certificate from the CSR
Note: If you want an official SSL certificate (Greenplum recommended), submit this CSR to a signing authority such as Thawte or Verisign and continue to Step 5
when you have the certificate (.crt) file.
openssl x509 -req -days 365 -in server.csr -signkey
server.key -out server.crt
5. Install the Private Key and Certificate into Chorus
Configure chorus.properties to point to the locations of your private key and certificate files:
ssl.enabled= true
ssl_server_port= 8443
ssl_certificate=
/usr/local/greenplum-chorus/current/config/test.crt
ssl_certificate_key=
/usr/local/greenplum-chorus/current/config/test.key
Restart Chorus to apply the configuration.
Note: To run Chorus on port 443 (the default ssl port e.g. https://:443), Greenplum recommends that you set up a Web server proxy to Chorus.