Generate keys, certificates and keystores

For a secure communication between the Jobserver and Collibra Data Intelligence Platform, you can use certificates.
In the current configuration, certificates are used as containers for public keys and the keystore is used to store private keys and certificates.

• On the node that hosts the Jobserver service, the keystore must be in PKCS#12 format.
• On the node that hosts the Data Governance Center service, you need a certificate, in PEM format, which includes the public key.

Steps

Note The commands used in this procedure are only examples, ask your Security officer for more information.

1. On the node on which you want to install the keystore, certificate and private key, open a terminal or command prompt session.
2. Go to or create a directory in which you want to create the keystore.
3. Create the private key and certificate:

   openssl req -x509 -newkey rsa -keyout key.pem -out cert.pem -days 365
   
   Generating a 2048 bit RSA private key
   ............................................+++
   ...................+++
   writing new private key to 'key.pem'
   Enter PEM pass phrase: <optional password>
   Verifying - Enter PEM pass phrase: <repeat password>
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:New York
   Locality Name (eg, city) []:New York
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Collibra
   Organizational Unit Name (eg, section) []:
   Common Name (e.g. server FQDN or YOUR name) []:Francois Lemaire
   Email Address []:[email protected]

4. Create a PKCS#12 keystore including a private key and certificate.

   openssl pkcs12 -export -inkey key.pem -in cert.pem -out keystore.p12 -name <meaningful name>
   
   Enter pass phrase for key.pem:<if password added in previous step>
   Enter Export Password:
   Verifying - Enter Export Password:

   Important We recommend that you provide the name argument with a meaningful name. You then have to use this name as the keystore alias in the JVM configuration of the Jobserver service. If you don't use the name argument and there's only one keystore, then the keystore alias is 1.

5. Copy the p12 file to %collibra_data%/spark-jobserver/security/.

Working with a truststore

1. Find the fast_context_jvm.conf file.
   You can use find / -name fast_context_jvm.conf.
   This file can, for example, be located in /opt/collibra/spark-jobserver/conf/fast_context_jvm.conf.

2. Edit the fast_context_jvm.conf file.
   For example: vi /opt/collibra/spark-jobserver/conf/fast_context_jvm.conf

3. Add the below truststore properties to fast_context_jvm.conf

   • -Djavax.net.ssl.trustStore=<fullpath where the cacerts file is located>

   • -Djavax.net.ssl.trustStorePassword=XXXXXX

4. Restart Jobserver or the complete environment to activate the changes.

You can also check the troubleshooting article on the Support portal.