Skip to main content
Pentaho Documentation

Trust a Self-Signed Certificate

The procedure below assumes that an SSL certificate is generated and Tomcat is configured to use it.

The instructions below explain how to complete the trust relationship between the BA Server (when it is configured for SSL) and the User Console.

  1. Change to the home directory of the user account that starts the BA Server and Pentaho User Console processes or services.
    cd ~
    Using the default settings suggested by Pentaho, this will be /home/pentaho/.
  2. Execute the following command, changing the storepass (pass in the example) and keypass (pass2 in the example) accordingly:
    keytool -export -alias tomcat -file tomcat.cer -storepass pass -keypass pass2 -keystore .keystore
  3. Change to the $PENTAHO_JAVA_HOME/jre/lib/security/ directory.
    cd $PENTAHO_JAVA_HOME/jre/lib/security/
    The PENTAHO_JAVA_HOME variable was established during your production installation procedure. If you are on Windows, environment variables are surrounded by percent signs, as in: cd %PENTAHO_JAVA_HOME%\jre\lib\security\. If you get an error about this path not being valid, then use JAVA_HOME instead of PENTAHO_JAVA_HOME.
  4. Execute the following command, changing the alias (tomcat in the example), the file path to the certificate (the current user's home directory in the example), and the storepass (pass in the example) accordingly:
    keytool -import -alias tomcat -file ~/tomcat.cer -keystore cacerts -storepass pass
    Note: If the path to your certificate involves spaces, you must either escape the spaces (on Linux, Unix, and OS X), or put double quotes around the path (on Windows) in order for the command to work properly.
  5. Execute the following command and make note of the MD5 sum for the tomcat entry:
    keytool -list -keystore cacerts
  6. Change back to the home directory of the user account that starts the BA Server and User Console, and run this command:
    keytool -list -keystore .keystore
  7. Compare the tomcat entry's MD5 sum to the one you generated previously and ensure that they match. If these sums do not match, you've made a mistake someplace in the certificate trust process. Go through the steps again and ensure that you're working with the right user accounts and directories.
The BA Server is now configured to allow access via SSL.