Instructions for adding keys to Xcalar Installer web servers
Xcalar uses the Caddy web server to power both Xcalar Design and its installer. This is a single-file web server that employs a JSON file for its configuration. The instructions, here, modify the Caddyfile to change the tls directive in the file from "self-signed" to point to the SSL certificate and key used enable HTTPS.
Note: Both certificate and key should be in PEM format. If you have this in JKS format, please refer to the section below that gives more details on converting these to PEM format. According to Caddy documentation "if the certificate is signed by a CA, this certificate file should be a bundle: a concatenation of the server's certificate followed by the CA's certificate (root certificate usually not necessary)."
To change the keys used by XD, repeated the following steps on each node in your Xcalar cluster:
- Once Xcalar is installed and running, log into the Xcalar node as the Xcalar Owner (the "xcalar" user).
- Locate the caddy server used by the installer with the following command:
ps ax | grep caddy
It should produce output similar to this:
8151 pts/23 Sl+ 0:00 /opt/xcalar/opt/xcalar/bin/caddy -quiet -conf /opt/xcalar/opt/xcalar/etc/caddy/Caddyfile -root /opt/xcalar/opt/xcalar/xcalar-gui
Locate the the -conf flag on the running caddy process. The argument following the -conf flag is the location of the Caddyfile it is using.
Use an editor to edit this file:
vi /opt/xcalar/opt/xcalar/etc/caddy/Caddyfile
Within the Caddyfile, locate the tls directive. It is set to self_signed by default. For example: tls self_signed
Modify the tls directive to conform to the following syntax: tls <path to certificate> <path to certificate private key>
Replace <path to certificate>
with the path to the certificate in PEM format.
Replace <path to certificate private key>
with the path to the private key in PEM format. For example: tls /var/tmp/node0.company.com.cert /tmp/node0.company.com.key
Save the modified Caddyfile and exit the editor.
Send a USR1 signal to the caddy process to make it reload the Caddyfile.
kill -USR1 <process id number>
or
pkill -USR1 -f caddy
For example: (using the process id from Step 2 above):
kill -USR1 8151
Caddy should now use the provided certificate/key pair. If the above does not seem to work, it's possible that caddy is not re-reading the config. In such an event, you can try stop xcalar completely (this includes caddy), and then restart xcalar. This will restart caddy and it will re-read the Caddyfile.
Working With JKS Format
If you can only get keys as a Java Keystore (JKS file), the certificate and key needed by Xcalar must be converted into PEM format. The process to perform this conversion requires that Openssl be installed.
This process consists of the following four basic steps:
1. Export the key and certificate from the JKS file to a PFX file.
2. Extract the certificate from the PFX file.
3. Extract the key from the PFX file.
4. If the key has a password, it must be removed.
Export the key and certificate from the Java Keystore file to a PFX file using the java command keytool:
keytool -importkeystore -srckeystore thekeystore.jks \
-srcstoretype JKS \
-destkeystore thekeystore.pfx \
-deststoretype PKCS12
Additional options like the source keystore password (-srcstorepass
) and source key password (-srckeypass
) may be required for this command to run successfully.
Extract the certificate from the PFX file using openssl:
openssl pkcs12 -in thekeystore.pfx -clcerts -nokeys -out cert.pem
Extract the key from the PFX file using openssl:
openssl pkcs12 -in thekeystore.pfx -nodes -nocerts -out key.pem
At the conclusion of this process, the files cert.pem and key.pem (if they key had a password) or server.key (if it did not) are used in the Xcalar Caddyfile.