Enabling TLS for Dremio UI on AWS
This topic describes how to enable Transport Layer Security (TLS) for Dremio UI on Amazon AWS Cloudformation.
In Dremio 24+, the keyStorePassword property can be encrypted using the dremio-admin encrypt CLI command.
To enable Transport Layer Security (TLS) for Dremio, determine which of the following methods you want to implement:
- Self-signed certificate
- CA-certified certificate
Enabling TLS with a Self-Signed Certificate
To enable TLS with a self-signed certificate:
- From CloudFormation, select your Stack.
- Click on the Resources tab.
- Click on <DremioClusterName>-DremioMaster.
- Locate the DNS name for the master node.
In the following sample screenshot, the DNS name is
ec2-18-188-87-153.us-east-2.compute.amazonaws.com. - Access the Dremio cluster master node on AWS via the DNS name and become root.
For example, using a terminal window, SSH to the AWS IP address
with the keypair that you used during stack creation.
$ ssh -i <path_to_your_private_key> centos@ec2-18-188-87-153.us-east-2.compute.amazonaws.com
$ sudo su - - Configure Dremio by editing the /etc/system/dremio.conf file and
adding the following properties to the end of the file.
```
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: true
``` - Restart the Dremio service. See Start, Stop, and Status for RPM commands.
For example:
service dremio restart - Log into the Dremio UI:
https://<dremio master DNS name>:9047
Note:
Self-signed certificates are not secure unless you can verify the certificate in the browser (by comparing fingerprints for example).
Enabling TLS with a CA-certified Certificate
To enable TLS with a CA-certified certificate:
From CloudFormation, select your Stack.
Click on the Resources tab.
Click on <DremioClusterName>-DremioMaster.
Locate the DNS name for the master node. In the following sample screenshot, the DNS name is
ec2-18-188-87-153.us-east-2.compute.amazonaws.com.Access the Dremio cluster master node on AWS via the DNS name and become root. For example, using a terminal window, SSH to the AWS IP address with the keypair that you used during stack creation.
$ ssh -i <path_to_your_private_key> centos@ec2-18-188-87-153.us-east-2.compute.amazonaws.com
$ sudo su -Obtain a TLS certificate for your DNS Name. For example, if you are using Let's Encrypt, install certbot, and generate the certificate.
- The FQDN is set to the DNS name for the master node obtained in a previous step.
- Make note of the last command output for the cert and cert key files.
- Note: This certificate is valid for 90 days and must be renewed.
After renewal, the subsequent Dremio configuration steps (steps 7 - 9) must be repeated.
FQDN=<DNS name of the host>
curl https://dl.eff.org/certbot-auto -o certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
certbot-auto certonly -d $FQDN --standalone -n --agree-tos --email youremail@domain.com
Create a keystore for Dremio. For example, the following example uses the output from the previous step.
```
PASSWORD=yourpassword
LETSENCRYPT_BASE=/etc/letsencrypt/live
DREMIO_DATA_DIR=/var/lib/dremio
openssl pkcs12 -export \
-inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
-in $LETSENCRYPT_BASE/$FQDN/cert.pem \
-out $DREMIO_DATA_DIR/store.pkcs12 \
-passout pass:$PASSWORD
chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12
```Configure Dremio by editing the /etc/dremio/dremio.conf file and adding the following properties to the end of the file.
* Note that the keystore path and password were generated by the previous step.
* If you supplied a different keystore path and password, be sure to provide them instead.
```
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false
services.coordinator.web.ssl.keyStore: "/var/lib/dremio/store.pkcs12"
services.coordinator.web.ssl.keyStorePassword: "yourpassword"
```Restart the Dremio service. See Start, Stop, and Status for RPM commands. For example:
service dremio restartLog into the Dremio UI:
https://<dremio master DNS name>:9047