Skip to main content
Pentaho Documentation

Trust a Self-Signed Certificate

This procedure assumes that an SSL certificate is generated and Tomcat is configured to use it.

The following instructions explain how to complete the trust relationship between the Pentaho Server (when it is configured for SSL) and the User Console:

  1. Change to the home directory of the user account that starts the Pentaho Server and User Console processes or services:
    cd ~
    If you installed the default settings for Pentaho, this directory will be /home/pentaho/.
  2. Execute the following command, changing the storepass (pass in the example) and keypass (pass2 in the example) accordingly:
    keytool -export -alias tomcat -file tomcat.cer -storepass pass -keypass pass2 -keystore .keystore
  3. Change to the $PENTAHO_JAVA_HOME/jre/lib/security/ directory:
    cd $PENTAHO_JAVA_HOME/jre/lib/security/
    The PENTAHO_JAVA_HOME variable was established during your production installation procedure. If you are on Windows, environment variables are surrounded by percent signs, as in: cd %PENTAHO_JAVA_HOME%\jre\lib\security\. If you get an error about this path not being valid, then use JAVA_HOME instead of PENTAHO_JAVA_HOME.
  4. Execute the following command, changing the alias (tomcat in the example), the file path to the certificate (the current user's home directory in the example), and the storepass (pass in the example) accordingly:
    keytool -import -alias tomcat -file ~/tomcat.cer -keystore cacerts -storepass pass

    If the path to your certificate involves spaces, you must either escape the spaces (on Linux or Unix), or put double quotes around the path (on Windows) in order for the command to work properly.

  5. Execute the following command and make note of the MD5 sum for the Tomcat entry:

    keytool -list -keystore cacerts
  6. Change back to the home directory of the user account that starts the Pentaho Server and User Console, and run this command:
    keytool -list -keystore .keystore
  7. Compare the Tomcat entry's MD5 sum to the one you generated previously and ensure that they match. If these sums do not match, you've made a mistake someplace in the certificate trust process. Go through the steps again and ensure that you're working with the right user accounts and directories.
The Pentaho Server is now configured to allow access via SSL.