Enabling HTTPS

Enable HTTPS for Transformer to secure the communication to the Transformer UI and REST API and to use Transformer with StreamSets Control Hub.

When registered with Control Hub cloud, Transformer must use the HTTPS protocol because Control Hub cloud also uses the HTTPS protocol. When registered with Control Hub on-premises, Transformer must use the same protocol as the Control Hub on-premises installation.

By default, Transformer and Control Hub on-premises use the HTTP protocol. StreamSets recommends using HTTPS in a production environment. HTTPS requires SSL/TLS certificates.

Prerequisites

Before you enable HTTPS for Transformer, complete the following requirements:

Obtain access to OpenSSL and Java keytool
If you do not have a keystore file that includes an SSL/TLS certificate signed by a certificate authority (CA), you can request a certificate and create the keystore file using the following tools:
  • OpenSSL - Use OpenSSL to create a Certificate Signing Request (CSR) that you send to the CA of your choice, as well as to create the keystore and truststore files. For more information, see the OpenSSL documentation.
  • Java keytool - You can also use Java keytool to create a CSR and to create keystore and truststore files. Java keytool is part of the Java Development Kit (JDK). For more information, see the keytool documentation.
Generate the SSL/TLS certificate and private key pair signed by a certificate authority (CA)
To enable HTTPS for Transformer, generate a private key and public certificate pair for Transformer. Transformer provides a self-signed certificate that you can use. However, web browsers generally issue a warning for self-signed certificates. StreamSets strongly recommends that you generate a key and certificate pair signed by a CA.
Important: The signed certificate must include the fully qualified domain name (FQDN) for the Transformer machine.
To obtain a certificate from a trusted CA, you must provide proof that you are the owner of the domain name for which you are requesting the certificate. Use OpenSSL or keytool to generate a key pair and then submit a Certificate Signing Request (CSR) to the CA. The exact procedure depends on the CA that you choose to use - see the documentation provided by the CA.

Create a Keystore File

Create a keystore file that includes the private key and public certificate pair signed by the CA. A keystore is used to verify the identity of the client upon a request from an SSL/TLS server.

StreamSets recommends using a certificate signed by a trusted CA. If the certificate is not signed by a trusted CA, such as a self-signed certificate, you must also add the certificate to the truststore.

StreamSets also recommends creating keystores in the PKCS #12 (p12 file) format. In most cases, a CA issues certificates in PEM format. Use OpenSSL to directly import the certificate into a PKCS #12 keystore.

  1. Use the following command to import the certificate and private key issued in PEM format to a PKCS #12 keystore for Transformer:
    openssl pkcs12 -export -in <PEM certificate> -inkey <private key> -out <keystore filename> -name <keystore name> 

    You will be prompted to create a password for the keystore file.

    For example, the following command converts the certificate tx_company_com.pem and private key tx_company_com.key to the PKCS #12 keystore file named tx_company_com.p12:
    openssl pkcs12 -export -in tx_company_com.pem -inkey tx_company_com.key -out tx_company_com.p12 -name tx_company_com
  2. Store the Transformer keystore file in the Transformer configuration directory, $TRANSFORMER_CONF.
    For example, store the file in the following directory:
    /etc/transformer/tx_company_com.p12
  3. Store the Transformer keystore password in the default password text file used by Transformer, $TRANSFORMER_CONF/keystore-password.txt.
    Tip: To ensure that a newline character is not added after the password, run the following command:
    echo -n "<password>" > keystore-password.txt

Create a Truststore File

A truststore file contains certificates from trusted CAs that an SSL/TLS client uses to verify the identity of an SSL/TLS server. Transformer uses the default Java truststore file located in $JAVA_HOME/jre/lib/security/cacerts to identify Control Hub as an SSL/TLS server.

You do not need to create a truststore file and can skip this step in the following situations:
  • Transformer is registered with Control Hub cloud.
  • Transformer is registered with Control Hub on-premises and your certificates are signed by a trusted CA included in the default Java truststore file.

You must create a custom truststore file or modify a copy of the default Java truststore file when Transformer is registered with Control Hub on-premises and the Control Hub certificates are signed by a private CA or not trusted by the default Java truststore. For example, if your organization generates its own certificates, you must add the root and intermediate certificates for your organization to the truststore file.

If Transformer is configured to use HTTPS with a certificate that is not signed by a trusted CA, you should also add that certificate to the truststore.

These steps show how to modify a copy of the default truststore file to add an additional CA to the list of trusted CAs. If you prefer to create a custom truststore file, see the keytool documentation.

You can create the following types of truststores for Transformer:
  • Java keystore file (JKS)
  • PKCS #12 (p12 file)
  1. Use the following command to set the JAVA_HOME environment variable:
    export JAVA_HOME=<Java home directory>
  2. Use the following command to set the TRANSFORMER_CONF environment variable:
    export TRANSFORMER_CONF=<Transformer configuration directory>
    For example:
    export TRANSFORMER_CONF=/etc/transformer
  3. Use the following command to copy the default Java truststore file to the Transformer configuration directory:
    cp "${JAVA_HOME}/jre/lib/security/cacerts" "${TRANSFORMER_CONF}/truststore.jks"
  4. Use the following keytool command to import the CA certificate into the truststore file:
    keytool -import -file <CA certificate> -trustcacerts -noprompt -alias <CA alias> -storepass <password> -keystore "${TRANSFORMER_CONF}/truststore.jks"
    For example:
    keytool -import -file  tx_company_com.pem -trustcacerts -noprompt -alias MyCorporateCA -storepass changeit -keystore "${TRANSFORMER_CONF}/truststore.jks"
  5. Store the Transformer keystore password in the default password text file used by Transformer, $TRANSFORMER_CONF/truststore-password.txt.
    Tip: To ensure that a newline character is not added after the password, run the following command:
    echo -n "<password>" > truststore-password.txt

Configure Transformer to Use HTTPS

Modify the Transformer configuration file, $TRANSFORMER_CONF/transformer.properties, to configure Transformer to use a secure port and your keystore file. If you created a custom truststore file or modified a copy of the default Java truststore file, configure Transformer to use that truststore file.

  1. Configure the following properties in the Transformer configuration file, transformer.properties:
    Transformer HTTPS Property Description
    transformer.base.http.url Transformer URL. If the property is uncommented and defined, modify to use the HTTPS protocol and the secure port number, for example:
    transformer.base.http.url=https://myhost:19636

    When you run pipelines on a Spark cluster, you must uncomment and define this property so that the cluster can access Transformer at this URL, as described in the installation instructions.

    https.port Secure port number for Transformer. For example, 19636.

    Any number besides -1 enables the secure port number.

    Note: When both the HTTP and HTTPS port properties are defined in the configuration file, the HTTP port bounces to the HTTPS port.
    https.keystore.path Path and name of the keystore file. Enter an absolute path or a path relative to the $TRANSFORMER_CONF directory.
    For example, to use a keystore file named tx_company_com.p23 stored in the $TRANSFORMER_CONF directory, configure the property as follows:
    https.keystore.path=tx_company_com.p12
    Note: Default is keystore.jks in the $TRANSFORMER_CONF directory which provides a self-signed certificate that you can use. However, StreamSets strongly recommends that you generate a certificate signed by a trusted CA, as described in Prerequisites.
    https.keystore.password Password to open the keystore file.
    If you added the password to the default password text file used by Transformer, you can use the default value:
    https.keystore.password=${file("keystore-password.txt")}
    https.truststore.path Path and name of the truststore file.

    If you created a custom truststore file or modified a copy of the default Java truststore file, uncomment this property and enter an absolute path or a path relative to the $TRANSFORMER_CONF directory.

    If you imported the CA certificate into the truststore file in the ${TRANSFORMER_CONF}/truststore.jks file, you can use the default value:

    https.truststore.path=truststore.jks

    If you do not uncomment and configure the property, Transformer uses the default Java truststore file located in $JAVA_HOME/jre/lib/security/cacerts to identify Control Hub as an SSL/TLS server.

    https.truststore.password Password to open the truststore file.

    Uncomment this property to specify the location of the password.

    If you added the password to the default password text file used by Transformer, you can use the default value:
    https.truststore.password=${file("truststore-password.txt")}
  2. For an installation started as a service on operating systems that use the systemd init system, edit the /usr/lib/systemd/system/sdc.socket file to use the same secure port that you just defined.
    For example, if you defined the Transformersecure port number as 19636, modify these lines in the file as follows:
    [Socket]
    ListenStream=19636
    ListenStream=0.0.0.0:19636
  3. Use the following command to reload the systemd manager configuration:
    systemctl daemon-reload
  4. Restart Transformer to enable the changes.