mirror of
https://github.com/open-metadata/OpenMetadata.git
synced 2025-10-24 07:14:48 +00:00
95 lines
5.4 KiB
Markdown
95 lines
5.4 KiB
Markdown
---
|
|
title: Enable SSL at the OpenMetadata Server
|
|
slug: /deployment/security/enable-ssl/openmetadata-server
|
|
collate: false
|
|
---
|
|
|
|
# Enable SSL at the OpenMetadata Server
|
|
|
|
The OpenMetadata Server is built using **Dropwizard** and **Jetty**. In this section, we will go through the steps
|
|
involved in setting up SSL for Jetty.
|
|
|
|
If you would like a simple way to set up SSL, please refer to the guide using [Nginx](/deployment/security/enable-ssl/nginx).
|
|
|
|
However, this step can be treated as an additional layer of adding SSL to OpenMetadata. In cases where one would use
|
|
Nginx as a load balancer or AWS LB, you can set up SSL at the OpenMetadata server level such that traffic from the
|
|
load balancer to OpenMetadata is going through an encrypted channel.
|
|
|
|
## Create Self-Signed Certificate
|
|
|
|
A self-signed certificate should only be used for POC (demo) or `localhost` installation.
|
|
|
|
For production scenarios, please reach out to your DevOps team to issue an X509 certificate which you can import into a
|
|
Keystore. Run the below command to generate an X509 Certificate and import it into keystore:
|
|
|
|
```commandline
|
|
keytool -keystore openmetadata.keystore.jks -alias localhost -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -genkey -validity 365
|
|
```
|
|
|
|
{% image src="/images/v1.6/deployment/security/enable-ssl/openmetadata-server/keystore-1.png" alt="keystore" /%}
|
|
|
|
|
|
For this example, we are configuring the password to be `test12`. Copy the generated `openmetadata.keystore.jks` to
|
|
OpenMetadata installation path under the `conf` directory.
|
|
|
|
{% image src="/images/v1.6/deployment/security/enable-ssl/openmetadata-server/keystore-2.png" alt="keystore" /%}
|
|
|
|
|
|
## Configure openmetadata.yaml
|
|
|
|
Add the below section to your `openmetadata.yaml` under the `conf` directory. Please add the password you set for the
|
|
Keystore generated above in the config below.
|
|
|
|
```yaml
|
|
server:
|
|
rootPath: '/api/*'
|
|
applicationConnectors:
|
|
- type: https
|
|
port: ${SERVER_PORT:-8585}
|
|
keyStorePath: ./conf/openmetadata.keystore.jks
|
|
keyStorePassword: test12
|
|
keyStoreType: JKS
|
|
supportedProtocols: [TLSv1.2, TLSv1.5]
|
|
excludedProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3]
|
|
```
|
|
|
|
## Access OpenMetadata server in the browser
|
|
|
|
These steps are not necessary if you used proper X509 certificated signed by trusted CA Authority.
|
|
|
|
Since we used self-signed certificates, browsers such as Chrome or Brave will not allow you to visit
|
|
[https://localhost:8585](https://localhost:8585). You'll get the following error page and there is no way to proceed.
|
|
|
|
{% image src="/images/v1.6/deployment/security/enable-ssl/openmetadata-server/browser.png" alt="browser" /%}
|
|
|
|
However, the Safari browser allows you to visit if you click advanced and click proceed. To work around this issue, on
|
|
OS X, you can import the certificate into the keychain and trust it so that browsers can trust and allow you to access
|
|
OpenMetadata.
|
|
|
|
### Export X509 certificate from Keystore
|
|
|
|
Run the below command to export the X509 cert.
|
|
|
|
```commandline
|
|
keytool -export -alias localhost -keystore openmetadata.keystore.jks -rfc -file public.cert
|
|
```
|
|
|
|
### Import public cert into Keychain - OS X only
|
|
|
|
Open the KeyChain app in OS X, drag and drop the `public.cert` file generated in the previous command into the Keychain:
|
|
|
|
{% image src="/images/v1.6/deployment/security/enable-ssl/openmetadata-server/import-1.png" alt="import" /%}
|
|
|
|
Double-click on `localhost`:
|
|
|
|
{% image src="/images/v1.6/deployment/security/enable-ssl/openmetadata-server/import-2.png" alt="import" /%}
|
|
|
|
|
|
Click on `Trust` to open and set `Always Trust`:
|
|
|
|
{% image src="/images/v1.6/deployment/security/enable-ssl/openmetadata-server/import-3.png" alt="import" /%}
|
|
|
|
Once the above steps are finished, all the browsers will allow you to visit the OpenMetadata server using HTTPS.
|
|
However, you'll still a warning in the address bar. All of these steps are not necessary with an X509 certificate issued
|
|
by a trusted authority and one should always use that in production.
|