Deephaven public and private key configuration
This guide details the server-side configuration of public and private keys and certificates within a Deephaven deployment. It covers TLS keystores and truststores essential for securing communication between Deephaven services, as well as other specialized keys used by internal server components for their operations.
Proper configuration of these keys and certificates is crucial for a secure and functional Deephaven environment. If you encounter connection issues that might be related to SSL/TLS, refer to the Debug SSL/TLS connections section of the troubleshooting guide.
TLS Keystores for Services
Authentication server
Warning
When certificates, keys, or truststores are not configured correctly, connections will fail. If you encounter SSL/TLS connection problems, see debugging SSL/TLS connections for additional debug parameters to diagnose the issue.
The Authentication Server’s keystore contains the certificate and private key of a TLS enabled service. You must keep this file private, and not distribute it to clients. Each node running an Authentication Server should have its own keys, with a certificate that is signed (issued) by the CA in the TLS truststore file (see below).
The default self-signed key pair for the Authentication Server is generated and saved to a PKCS12 (.p12
) keystore file when iris_keygen.sh
is run. The keystore file is owned by user irisadmin
with permission set to 400:
[-r-------- irisadmin irisadmin] keystore.authserver.p12
The keystore file is protected by a unique randomly generated password stored in base64 encoded format in a read-only hidden file owned by user irisadmin
with permission set to 400:
[-r-------- irisadmin irisadmin] .auth_passphrase
Properties file sections
These file locations are specified by the following properties, which need to be accessible in the authentication_server
and db_acl_write_server
contexts.
[service.name=db_acl_write_server|authentication_server] {
tls.keystore=/etc/sysconfig/illumon.d/auth/keystore.authserver.p12
tls.passphrase.file=/db/TempFiles/irisadmin/.auth_passphrase
}
Authorized keys file configuration
For public key authentication (PSK), the Authentication Server needs to know the location of the file(s) containing users' public keys. This is configured using the authentication.psk.authorizedKeysFiles
property. This property specifies a comma-separated list of paths to authorized keys files. Each file follows the standard SSH authorized_keys
format.
Example property setting:
authentication.psk.authorizedKeysFiles=/etc/deephaven/authorized_keys,/data/additional_authorized_keys
This configuration is typically set in the authentication_server
context.
Configuration server
The Configuration Server’s keystore contains the certificate and private key of a TLS enabled service. You must keep this file private, and not distribute it to clients. Each node running a Configuration Server should have its own keys, with a certificate that is signed (issued) by the CA in the TLS truststore file (see below).
The default self-signed key pair for the Configuration Server is generated and saved to the .p12
keystore file when iris_keygen.sh is run. The keystore file is owned by user irisadmin
with permission set to 400:
[-r-------- irisadmin irisadmin] keystore.configuration_server.p12
The Configuration Server keystore file is also protected by a unique randomly generated password stored in base64 encoded format in a read-only hidden file owned by user irisadmin
with permission set to 400:
[-r-------- irisadmin irisadmin] .configuration_server_passphrase
Properties file sections
These file locations are specified by the following properties, which need to be accessible in the configuration_server
context:
[service.name=configuration_server] {
configuration.server.ssl=true
configuration.server.keyfile=/etc/sysconfig/illumon.d/auth/keystore.configuration_server.p12
configuration.server.passphrase.file=/db/TempFiles/irisadmin/.configuration_server_passphrase
}
Web API Service keystore
The Web API Server's keystore contains the certificate and private key of a TLS enabled service. You must keep this file private, and not distribute it or store the file in a non-secure location such as a git repository. The Web API Server's keystore file should be unique per node, with a certificate that is signed (issued) by a trusted CA.
The default self-signed key pair for the Web API Server is generated when installing the iris-config.rpm
and saved to .p12
keystore file:
[-r-------- irisadmin irisadmin] webServices-keystore.p12
The keystore file is protected by a unique randomly generated password stored in base64 encoded format in a read-only hidden file owned by user irisadmin
with permission set to 400:
[-r-------- irisadmin irisadmin] .webapi_passphrase
Properties file sections
These file locations are specified by the following properties, which need to be accessible in the web_api_service
context.
[service.name=web_api_service] {
WebServer.tls.keystore=/etc/sysconfig/illumon.d/auth/webServices-keystore.p12
WebServer.tls.passphrase.file=/db/TempFiles/irisadmin/.webapi_passphrase
}
TLS Truststore
A TLS truststore file contains the root certificates that issued any certificates that should be trusted. The Deephaven truststore should contain the root certificate or certificates for all the Authentication Server and Configuration Server certificates. This file is stored in two formats; a PKCS12 file verified by a password, and a PEM file which does not require a password.
All nodes and all clients need to have access to the truststore files. A single truststore should be used across all Deephaven nodes. If your organization has an existing PKI, then you can import your CA's certificate into the truststores for use with Deephaven.
The truststore does not contain secrets, and all clients need access to the password for the password-protected file.
Truststore filenames
-
/etc/sysconfig/illumon.d/resources/truststore-iris.p12
-
/etc/sysconfig/illumon.d/resources/truststore-iris.pem
Passphrase file
/etc/sysconfig/illumon.d/resources/truststore_passphrase
Properties
configuration.server.cacertfile=/etc/sysconfig/illumon.d/resources/truststore-iris.pem
tls.truststore=/etc/sysconfig/illumon.d/resources/truststore-iris.p12
tls.truststore.passphrase.file=/etc/sysconfig/illumon.d/resources/truststore_passphrase
Note
These properties should be available in all contexts.
Using non-default certificates
Instead of using the uniquely generated files from the installation, customers can create their own keystore files with private keys and certificates signed by their own CA and update these properties accordingly.
Import your own root or intermediate CA certificate into the trust store:
/usr/lib/jvm/java-openjdk/bin/keytool \
-import -trustcacerts -alias iris \
-file /path/to/tls.crt -keystore \
/etc/sysconfig/illumon.d/resources/truststore-iris.p12 \
-storepass $PASS_PHRASE
Internal service and component keys
Authorized keys
A Deephaven-authorized keys file associates usernames with keys and allows non-interactive processes to authenticate with a key instead of a password. The process of authenticating must have the private key corresponding to the public key in this file. This file is disabled by default, with public keys maintained in the ACL store (etcd or MySQL).
As of the Grizzly (1.20240517), Deephaven uses the secp256r1
Elliptic Curve to generate key pairs, which is currently recommended by FIPS.186-5. Deephaven's authentication server generates a random nonce, which the client then hashes using SHA256 and signs with the private key. In versions of Deephaven from 1.20221001 to 1.20231218, Deephaven generated 2048-bit DSA keys as defined in FIPS.186-4. Prior to 1.20221001, 512-bit DSA keys were generated. For backward compatibility, Deephaven supports using ECDSA and DSA keys for authentication so that users can continue using their existing keys.
The authorized keys file contains one public key per line. Lines beginning with #
are comments. Each line consists of a user name and a base64-encoded key separated by white space. The public key is encoded in DER format. If the key is an Elliptic Curve key, then it is prefaced with EC:
. Other keys are assumed to be DSA keys. The same key encoding is used for public keys stored in the ACL database.
DSA Keys File
/etc/sysconfig/illumon.d/resources/dsakeys.txt
Note
This file can contain both DSA and ECDSA keys.
Properties file sections
[service.name=authentication_server] {
authentication.server.authorizedkeys.enabled=true
authentication.server.authorizedkeys.file=dsakeys.txt
}
User private keyfile
Users may authenticate using private key files. These should be only on the user's client machine, and provide access to Deephaven just as the user's password. The private key file is specified as follows.
The file is structured as a dictionary. Lines beginning with #
are comments. Each line is a key and value separated by white space. There are four fields defined:
Field | Value |
---|---|
user | Username for authentication. |
operateas | The user to operate as. |
public | The public key in base64-encoded DER format. Elliptic Curve keys are prefaced with EC: before base64 encoding. |
private | The private key in base64-encoded DER format. Elliptic Curve keys are prefaced with EC: before base64 encoding. |
Private key files can be generated by using:
/usr/illumon/latest/bin/generate-iris-keys
from the command line.io.deephaven.enterprise.auth.KeyPairFile#generateNewKeys
from Java/Groovy.deephaven_enterprise.client.auth.AuthClient.generate_keypair
from Python.
Property
AuthenticationClientManager.defaultPrivateKeyFile
The public key in the named file must be entered in the server’s Authorized Keys file.
Note
Deephaven private keyfile
The controller uses a key to authenticate to the Deephaven remote query dispatchers (query servers and merge servers). The controller must operate as a privileged user because it performs privileged operations such as starting Persistent Queries owned by any user. This key file should be deployed only to the controller, and not readable by other users.
Property
iris.authentication.keyfile=/etc/sysconfig/illumon.d/auth/priv-iris.base64.txt
Controller key pair
The Deephaven controller may store secrets such as JDBC passwords in its configuration. Consoles must be able to update these secrets, and to store them persistently in the Persistent Query Controller's cache files. This file should be only on the controller node. When a client needs to send a secret to the controller, it requests the public key. The controller decrypts secret data (e.g., passwords) using its private key before sending the secret to workers that require it.
Property
[service.name=iris_controller] {
PersistentQueryController.keyPairFile=/etc/sysconfig/illumon.d/auth/priv-controllerConsole.base64.txt
}
Other key files
The following key files are also installed.
priv-authreconnect.base64.txt
- This is the keyfile used by the authentication server for its public/private encryption. The file is defined by the following property, which can be updated if needed:authentication.server.reconnection.keyfile=/etc/sysconfig/illumon.d/auth/priv-authreconnect.base64.txt
priv-merge.base64.txt
- This keyfile may be used for authentication by batch merge queries.priv-superuser.base64.txt
- This keyfile may be used by the superuser user for authentication.
Database authentication
To connect to a database server to run queries, you must authenticate your connection. For interactive utilities, like the Deephaven console, you do so through a username/password dialog box or SAML. For automated batch queries, you must use a private key file. Best practices dictate that system batch jobs are run as a role user.
If you are writing your own batch queries (or interactive utilities), you need to provide a method for authenticating your client before any database connection is made. The database components all use the AuthenticationClientManager.getDefault()
instance, so authenticating should be performed using one of the following methods:
- Setting the
AuthenticationClientManager.defaultPrivateKeyFile
property, which must specify a private key file that is known to the authentication server. Authentication will be done automatically using the specified private key. For a batch query, this is the preferred choice. - Calling
AuthenticationManager.getDefault().challengeResponse(String privateKeyFile)
, with a private key file that is known to the authentication server. - Implementing a method to get the password from the user. You should not have users store passwords in a file. If the password is typed in, you should make it obscured (for example, by using
java.io.Console.readPassword
).
How to create Deephaven Authentication Keys
Deephaven can use challenge-response authentication with DSA keys to authenticate users. This is useful for batch or other non-interactive programs that cannot prompt for passwords. DSA keys consist of two parts: (1) a private key that must be protected as if it were a password, and (2) a public key stored in the Deephaven ACL database.
You can generate a public/private key pair for yourself using the Core+ Python client and upload it to the ACL write server. This has the advantage of the private key never leaving the user's machine. Alternatively, a member of iris-acleditors
can upload a key for any user.
from deephaven_enterprise.client.session_manager import SessionManager
import deephaven_enterprise.client.auth
import os
# generate a public/private key pair for "user_name"
(priv, pub) = deephaven_enterprise.client.auth.AuthClient.generate_keypair("user_name")
# Write the private key to a file, take care to ensure the permissions are safe. This key is equivalent to a password.
with open("/tmp/priv.txt", "w") as f:
f.write(priv)
print("Generated Key")
# Connect to the Deephaven cluster
sm = SessionManager("https://deephaven-cluster.example.com:8123/iris/connection.json")
# You can authenticate using your password, saml, or an existing private key.
sm.password("user_name", "password")
# Upload the public key to the ACL Write Server
sm.upload_key(pub)
sm.close()
# Now reconnect with your private key
sm2 = SessionManager("https://deephaven-cluster.example.com:8123/iris/connection.json")
sm2.private_key("/tmp/priv.txt")
sm2.close()
Alternatively, you can generate a public/private key pair on a Deephaven server as follows:
-
On a Deephaven server, run:
/usr/illumon/latest/bin/generate-iris-keys <deephaven user name>
. The default key length is 2048 bits. You can override that with a second parameter:/usr/illumon/latest/bin/generate-iris-keys <deephaven user name> <bits>
-
This will generate
pub-<deephaven user name>.base64.txt
andpriv-<deephaven user name>.base64.txt
in the current directory. -
Store the generated public key in the ACL database using the command:
/usr/illumon/latest/bin/dhconfig acl publickey import -f <path to key>/pub-<deephaven user name>.base64.txt
If you are not running as an administrator, then you should also include the
--user
parameter to specify which Deephaven account to authenticate as. You can either specify an administrator account or your own account, anddhconfig
prompts for your password:/usr/illumon/latest/bin/dhconfig acl publickey import -f <public key file> --user <user>
-
Move
priv-<deephaven user name>.base64.txt
to the client system connecting to the server. This file is effectively a password. It should be stored only where it will be used and must be protected by appropriate filesystem permissions.
How to connect to a DB Server
Beyond TLS configurations, several other keys are used by Deephaven server components for their internal operations or for inter-service authentication.
Deephaven private keyfile
The Deephaven controller utilizes a specific private key to authenticate itself to remote query dispatchers (like query servers and merge servers). This key enables the controller, operating as a privileged user, to perform critical operations such as managing Persistent Queries across different user contexts. It's vital that this key file is securely deployed only on the controller node and is not accessible to other users.
This key is often named priv-controller.base64.txt
or similar and is specified via a server property like deephaven.controller.privateKeyFile
. It must be deployed securely on the controller node and have restricted file permissions.
Controller key pair
The Deephaven controller uses a key pair to manage sensitive information, such as JDBC passwords, stored in its configuration. This mechanism allows consoles to securely update these secrets and for the controller to store them persistently. When a client needs to transmit a secret to the controller, it encrypts the data using the controller's public key. The controller then uses its private key to decrypt this information before distributing it to worker processes. This key pair file should be restricted to the controller node.
This key pair is typically a PEM-formatted file (e.g., controller-keypair.pem
) configured via a property such as deephaven.controller.keyPairFile
. Secure storage and restricted access on the controller node are paramount.
Other key files
Several other specialized key files are used within Deephaven for specific authentication or operational purposes by server components:
priv-authreconnect.base64.txt
: Used by the authentication server for its public/private encryption needs, particularly for session reconnection.priv-merge.base64.txt
: Can be used for authentication by batch merge queries when these are run as part of server-side processes.priv-superuser.base64.txt
: Allows thesuperuser
account to authenticate using a key, typically for administrative server-side operations.
These files are typically located in a secured directory on the server, and their paths are configured through specific Java system properties or application configuration settings relevant to their respective services.