The manager can be configured to automatically generate certificates for the agents and itself by providing a signing certificate and key. This will allow the secure communication of the manager with the agents, the agents with each other, and users with the system. The key and certificate should be provided to the manager to generate the keys for itself and the agents. The agent will get the certificate only to validate the generated certificates.
Enabling, disabling or updating your certificates will require a restart of any running clusters. You will be notified in the manager that a certificate change has been detected and prompted to restart. You should plan the changes around maintenance windows as it will require an outage.
This ca.crt should be trusted/installed in browsers connecting to the manager or Druid so that they can be validated and the
https:// scheme used for all
When TLS is enabled Druid will use different ports by default as well as require the
https:// schema for all web requests.
By default these ports are the default port for the service increased by 200. Note that Pivot and the manager still run on the same port.
See the table below for some examples:
|Service||Default Port||TLS Port|
Review the Druid Configuration reference for more defaults.
To generate a CA certificate and key you can use the following command:
openssl req -x509 -new -nodes -keyout ca.key -out ca.crt -days 365
When executing the command you will be prompted to fill in the information for the certificate. For example:
Country Name (2 letter code) :US State or Province Name (full name) :California Locality Name (eg, city) :Burlingame Organization Name (eg, company) :Imply Data, Inc Organizational Unit Name (eg, section) : Common Name (eg, fully qualified host name) :Imply Manager CA Email Address :
These values are just an example and should be filled in with your own values. Once this is completed a new certificate
and key that are valid for 1 year will be generated. If you want a longer or shorter expiry update the
-days argument. For more
information please consult the OpenSSL Documentation.
ca.crt file will add it to your Keychain as a trusted certificate. For more information you can consult
the Keychain Access User Guide.
To add the certificate on windows we will perform the following steps.
ca.crtand select Install Certificate. This will launch the Certificate Import Wizard.
For managed environments the certificate can be installed as part of a Group Policy.
Authentication can be enabled to allow the manager to communicate with the agents in an authenticated manner. It will also enable Druid and Pivot authentication to secure the entire deployment. This should be used in conjunction with TLS as the tokens are sent in plain text.
When authentication is enabled by providing a token to the manager and agents, it also enables Druid authentication by default. For more information on Druid authentication review https://druid.apache.org/docs/0.17.0/design/auth.html.
When Druid Authentication is enabled you can find the credentials in the manager under the API tab.
When authentication is enabled by providing a token to the manager and agents, it also enables Pivot authentication by default. For more information on Pivot user modes review userMode configuration.
Pivot will be configured to use
native-users. The default credentials can be found in the userMode configuration link above.