By Default Collibra DQ has plain HTTP enabled for testing. When you are ready to enable SSL for the web application, you can set the following environment variables in owl-env.sh to enable HTTPS.
Note The URL you are using must include a fully qualified domain name.
The settings listed at the bottom of this page disable un-secure HTTP, enable secure HTTPS, and allow you to point to your certificate key store + credentials. A restart of the web application is required.
Warning You must restart the web application from the bin directory: ./owlmanage.sh restart=owlweb.
Before starting the SSL setup, please generate a keystore.
Generate a Keystore
You can use a Keytool JDK utility to generate a keystore, which helps to manage private and public keys and associated certificates. With this utility, you can administer your own public/private key pairs and associated certificates. The keystore allows you to protect your private keys with a password.
All certificates within the keystore are associated with a unique alias that gets used as a pointer to perform keytool operations, such as import, export, delete, and/or change certificates and keys.
Note Implementation is dependent upon your specific architecture.
Use something similar to the following command to create the keystore.
keytool -genkey -alias <your alias> -keyalg RSA -keysize 2048 -keystore <file name>Generate a Certificate Signing Request (CSR) from the Keystore
You must create a CSR from the Keystore to share with the Certificate Authority (CA). This allows you to obtain a valid SSL certificate, which is signed by the CA, to secure your site.
Use a command that is similar to the following to create the CSR.
keytool -certreq -alias <your alias> ssl -keystore <file name>Note When prompted, enter the alias name and password.
You can now submit the CSR to a CA for signing. The CA will send you a CA-signed certificate file.
Generate a PCKS12 File Using the Public and Private Key from CA
You will receive a bundle from CA containing your public and private key, which you can then export by using a command such as the following.
export SERVER_SSL_KEY_STORE: <path to your key store>You can call Collibra DQ's built-in 256-bit encryption for the SERVER_SSL_KEY_PASS value from the bin directory: ./owlmanage.sh encrypt=<sensitive plain text string>. Use the response value instead of the plain text value to secure your password.
Note Encrypting the password with owlmanage.sh is optional.
export SERVER_SSL_KEY_PASS=<secure result from owl encryption script>For Standalone Deployments
export SERVER_HTTP_ENABLED=false
export SERVER_HTTPS_ENABLED=true
export SERVER_REQUIRE_SSL=true
####START KEYSTORE SETTINGS####
export SERVER_SSL_KEY_TYPE=PKCS12
#SET PATH TO KEYSTORE
export SERVER_SSL_KEY_STORE=KeystorePathHere
export SERVER_SSL_KEY_PASS=*******
export SERVER_SSL_KEY_ALIAS=keystoreAliasNameHereNote The most common SSL types are JKS and PKCS12.
For Kubernetes Deployments
SERVER_HTTP_ENABLED: false
SERVER_HTTPS_ENABLED: true
SERVER_REQUIRE_SSL: true
SERVER_SSL_KEY_TYPE: PKCS12
SERVER_SSL_KEY_STORE: KeystorePathHere
SERVER_SSL_KEY_PASS: *******
SERVER_SSL_KEY_ALIAS: keystoreAliasNameHereNote Add standalone values to the owl-env.sh and Kubernetes values to the configmap.