Set up mutual authentication with a proxy server

If you use mutual authentication with a proxy server between the Collibra Platform service and the Jobserver service, the configuration of both services is slightly different, especially with the certificates.

Prerequisites

Your certificates meet the necessary specifications. If not, convert them to the right format.

Edit the Jobserver service settings

Execute the following steps in Collibra Console that manages the Jobserver service.

Open Collibra Console with a user profile that has the SUPER role.
Collibra Console opens with the Infrastructure page.
Click the Jobserver service of a Collibra environment.
The details of the Jobserver service are shown.
Click Infrastructure Configuration.

Enter the security configuration:

Setting	Description
Authentication level	The authentication level to communicate with the Jobserver. The client (reverse proxy server) must be configured according the here selected authentication level.
Server certificate chain	The certificate or certificate chain with the public key that is offered by the Jobserver to the reverse proxy server.
Server private key	The private key that is part of the Jobserver's certificate or certificate chain.
Trusted client CA certificate	The certificate of the trusted CA used to validate the client certificate (reverse proxy server). To restrict authentication to this client, the CA should be exclusively used by this server.

Click Save all.

Add a proxy server to the Collibra service

Execute the following steps in Collibra Console that manages your Collibra service.

Open the DGC service settings for editing:
In the Jobserver section, click Add.

Enter the necessary information:

Setting	Description
Jobserver list	The list of registered Jobserver instances.
Name	The name of the Jobserver as it will appear when you register a data source in Data Catalog.
Protocol	The protocol that is used for the communication between the Collibra Platform service and the reverse proxy server. It is recommended to use HTTPS, especially if the services are hosted in different network segments.
Address	The address (IP address, URL, hostname) of the reverse proxy server.
Trusted server CA certificate	The certificate of the trusted CA needed to validate the server certificate. If blank, the default truststore will be used. The default truststore is defined in the SSL configuration section of the Collibra service. The CA certificate of the server party (reverse proxy server).
Client certificate	The client certificate offered by the Collibra service to the server. If blank, you cannot select mutual authentication as the Jobserver service authentication level.
Client private key	The private key of the Collibra service's certificate.
Table profiling data size	The approximate maximum disk size of the data in MB that will be used to profile a table. The value cannot exceed 10,000.
Test connection timeout	This timeout is a time limit (in seconds) after which the connection test is stopped and a timeout error is shown. The default value is 60 seconds.

Click Save all.

You can still add multiple Jobserver services but then you will need one reverse proxy server per Jobserver. In the unlikely event that there are multiple Jobservers behind one reverse proxy server, you have to configure the reverse proxy server in such a way that there is a unique port per Jobserver.

Configuring the proxy server

Consult the documentation of your reverse proxy server to configure the server side and client side.