Setting up a custom keystore in Collibra DQ

This topic shows you how to set up the keystore and truststore file for the Collibra Data Quality & Observability application to use across various deployment types.

  • Standalone
  • Cloud Native
  1. Create a Java KeyStore, as demonstrated in Setting up SSL (HTTPS).
  2. Copy the JKS or PKCS12 file to the location inside the VM where DQ Web is running. For example, file:///etc/ssl/dev-keystore.jks
  3. Update the owl-env.sh with the following properties:
    1. For SSL
      1. Copy
        SERVER_SSL_KEY_STORE=file:///etc/ssl/dev-keystore.jks
      2. Copy
        SERVER_SSL_KEY_ALIAS=alias                     #This is the alias used when creating the keystore
      3. Copy
        SERVER_SSL_KEY_PASS=<keystore-password>        #The password of the keystore
      4. Copy
        SERVER_SSL_KEY_TYPE=JKS                        #This is either JKS or PKCS12
    2. For SAML
      1. Copy
        SAML_KEYSTORE_FILE=file:///etc/ssl/dev-keystore.jks
      2. Copy
        SAML_KEYSTORE_ALIAS=alias                     #This is the alias used when creating the keystore
      3. Copy
        SAML_KEYSTORE_PASS=<keystore-password>        #The password to the keystore
  4. Restart the Collibra Data Quality & Observability application.
    5. Collibra Data Quality & Observability now uses the keystore file for SSL and SAML.

    Note Depending on the IdP configuration you many need to re-import the SP metadata for SAML. To do this, download the Collibra Data Quality & Observability SP metadata from the https://<your_dq_environment_url>/saml/metadata endpoint and share it with the IdP to configure the SP.

To use a custom keystore or truststore in a Cloud Native deployment requires you to mount the keystore file inside the web pod.

Enabling SSL

  1. Create a K8s secret using the keystore file:
    2. Copy 
    kubectl create secret generic dq-ssl-secret --from-file <file-name.jks> --namespace <dev>

  2. Enable SSL with the following Helm Charts variable:

    3. Copy 
    --set global.web.tls.enabled=true --set global.web.tls.key.alias=<alias-name> --set global.web.tls.key.pass=<keystore-pass>
  3. Start the Collibra Data Quality & Observability application.

Using SAML with SSL enabled

  1. Create a K8s secret using the keystore file:
    2. Copy 
    kubectl create secret generic dq-ssl-secret --from-file <file-name.jks> --namespace <dev>

  2. Set the SAML keystore parameters through the following Helm Charts variable:

    3. Copy 
    --set global.web.security.saml.keyStoreFile=file:///etc/ssl/dqkeystore.jks --set global.web.security.saml.keyStoreAlias=<alias-name> --set global.web.security.saml.keyStorePass=<keystore-pass>
  3. Start the Collibra Data Quality & Observability application.

Using SAML without SSL enabled

Important When using SAML in its current implementation, you must enable SSL to use a custom keystore. If you rely on a Load Balancer to manage SSL, you can still enable SSL by stopping SSL at the Load Balancer. You can also enable an HTTP port to allow a Load Balancer to connect to it, as shown in step 3 below. In a future release, we plan to provide support for custom keystores without SSL enabled.

  1. Create a K8s secret using the keystore file:
    2. Copy 
    kubectl create secret generic dq-ssl-secret --from-file <file-name.jks> --namespace <dev>

  2. Set the SAML keystore parameters through the following Helm Charts variable:

    3. Copy 
    --set global.web.security.saml.keyStoreFile=file:///etc/ssl/dqkeystore.jks --set global.web.security.saml.keyStoreAlias=<alias-name> --set global.web.security.saml.keyStorePass=<keystore-pass>
  3. (Optional) If you want to include a non-SSL HTTP port, manually update the Web ConfigMap with the following property:
    4. Copy 
    SERVER_HTTP_ENABLED=true
  4. Start the Collibra Data Quality & Observability application.