Deephaven public and private keys
Authentication server
The Authentication Server’s keystore contains the certificate and private key of a TLS enabled service. You must keep this file private, and not distribute it to clients. Each node running an Authentication Server should have its own keys, with a certificate that is signed (issued) by the CA in the TLS truststore file (see below).
The default self signed key pair for the Authentication Server is generated when iris_keygen.sh is run and saved to a PKCS12 (.p12) keystore file. The keystore file is owned by user irisadmin with permission set to 400:
[-r-------- irisadmin irisadmin] keystore.authserver.p12
The keystore file is protected by a unique randomly generated password stored in base64 encoded format in a read-only hidden file owned by user irisadmin with permission set to 400:
[-r-------- irisadmin irisadmin] .auth_passphrase
Properties file sections
These file locations are specified by the following properties, which need to be accessible in the authentication_server and db_acl_write_server contexts.
[service.name=db_acl_write_server|authentication_server] {
tls.keystore=/etc/sysconfig/illumon.d/auth/keystore.authserver.p12
tls.passphrase.file=/db/TempFiles/irisadmin/.auth_passphrase
}
Configuration server
The Configuration Server’s keystore contains the certificate and private key of a TLS enabled service. You must keep this file private, and not distribute it to clients. Each node running a Configuration Server should have its own keys, with a certificate that is signed (issued) by the CA in the TLS truststore file (see below).
The default self signed key pair for the Configuration Server is generated when iris_keygen.sh is run and saved to the .p12 keystore file. The keystore file is owned by user irisadmin with permission set to 400:
[-r-------- irisadmin irisadmin] keystore.configuration_server.p12
The Authentication Server keystore file is also protected by a unique randomly generated password stored in base64 encoded format in a read-only hidden file owned by user irisadmin with permission set to 400:
[-r-------- irisadmin irisadmin] .configuration_server_passphrase
Properties file sections
These file locations are specified by the following properties, which need to be accessible in the configuration_server context:
[service.name=configuration_server] {
configuration.server.ssl=true
configuration.server.keyfile=/etc/sysconfig/illumon.d/auth/keystore.configuration_server.p12
configuration.server.passphrase.file=/db/TempFiles/irisadmin/.configuration_server_passphrase
}
Web API Service keystore
The Web API Server's keystore contains the certificate and private key of a TLS enabled service. You must keep this file private, and not distribute it or store the file in a non-secure location such as a git repository. The Web API Server's keystore file should be unique per node, with a certificate that is signed (issued) by a trusted CA.
The default self signed key pair for the Web API Server is generated when installing the iris-config.rpm and saved to .p12 keystore file:
[-r-------- irisadmin irisadmin] webServices-keystore.p12
The keystore file is protected by a unique randomly generated password stored in base64 encoded format in a read-only hidden file owned by user irisadmin with permission set to 400:
[-r-------- irisadmin irisadmin] .webapi_passphrase
Properties file sections
These file locations are specified by the following properties, which need to be accessible in the web_api_service context.
[service.name=web_api_service] {
WebServer.tls.keystore=/etc/sysconfig/illumon.d/auth/webServices-keystore.p12
WebServer.tls.passphrase.file=/db/TempFiles/irisadmin/.webapi_passphrase
}
TLS Truststore
A TLS truststore file contains the root certificates that issued any certificates that should be trusted. The Deephaven truststore should contain the root certificate or certificates for all of the Authentication Server and Configuration Server certificates. This file is stored in two formats; a PKCS12 file verified by a password, and a PEM file which does not require a password.
All nodes and all clients need to have access to the truststore files. A single truststore should be used across all Deephaven nodes. If your organization has an existing PKI, then you can import your CA's certificate into the truststores for use with Deephaven.
The truststore does not contain secrets, and all clients need access to the password for the password protected file.
Truststore filenames
-
/etc/sysconfig/illumon.d/resources/truststore-iris.p12 -
/etc/sysconfig/illumon.d/resources/truststore-iris.pem
Passphrase file
/etc/sysconfig/illumon.d/resources/truststore_passphrase
Properties
configuration.server.cacertfile=/etc/sysconfig/illumon.d/resources/truststore-iris.pemtls.truststore=/etc/sysconfig/illumon.d/resources/truststore-iris.p12tls.truststore.passphrase.file=/etc/sysconfig/illumon.d/resources/truststore_passphrase
Note
These properties should be available in all contexts.
Using non-default certificates
Instead of using the uniquely generated files from the installation, customers can create their own keystore files with private keys and certificates signed by their own CA and update these properties accordingly.
Import your own root or intermediate CA certificate into the trust store:
/usr/lib/jvm/java-openjdk/bin/keytool \
-import -trustcacerts -alias iris \
-file /path/to/tls.crt -keystore \
/etc/sysconfig/illumon.d/resources/truststore-iris.p12 \
-storepass $PASS_PHRASE
Authorized keys
The Authorized Keys file associates usernames with keys, and is used to allow non-interactive processes to authenticate with a key instead of a password. The process authenticating must have the private key corresponding to the public key in this file.
DSA Keys File
/etc/sysconfig/illumon.d/resources/dsakeys.txt
Properties file sections
[service.name=authentication_server] {
authentication.server.authorizedkeys.file=dsakeys.txt
}
User private keyfile
Users may authenticate using private key files. These should be only on the user's client machine, and provide access to Deephaven just as the user's password. The private key file is specified as follows.
Property
WAuthenticationClientManager.defaultPrivateKeyFile
The public key in the named file must be entered in the server’s Authorized Keys file.
Note
Deephaven private keyfile
The controller uses a key to authenticate to the Deephaven remote query dispatchers (query servers and merge servers). The controller must operate as a privileged user because it performs privileged operations such as starting persistent queries owned by any user. This key file should be deployed only to the controller, and not readable by other users.
Property
iris.authentication.keyfile=/etc/sysconfig/illumon.d/auth/priv-iris.base64.txt
Controller key pair
The Deephaven controller may store secrets such as JDBC passwords in its configuration. Consoles must be able to update these secrets, and to store them persistently in the Persistent Query Controller's cache files. This file should be only on the controller node. When a client needs to send a secret to the controller, it requests the public key. The controller decrypts secret data (e.g., passwords) using its private key before sending the secret to workers.
Property
[service.name=iris_controller|controller_tool] {
PersistentQueryController.keyPairFile=/etc/sysconfig/illumon.d/auth/priv-controllerConsole.base64.txt
}
Other key files
The following key files are also installed.
priv-authreconnect.base64.txt- This is the keyfile used by the authentication server for its public/private encryption. The file is defined by the following property, which can be updated if needed:authentication.server.reconnection.keyfile=/etc/sysconfig/illumon.d/auth/priv-authreconnect.base64.txt
priv-merge.base64.txt- This keyfile may be used for authentication by batch merge queries.priv-superuser.base64.txt- This keyfile may be used by the superuser user for authentication.