Enabling secure communication for Pentaho Worker Nodes
When setting up Pentaho Worker Nodes on a single instance, be sure to follow the steps for the secure
setup in Running the setup script task. Secure mode requires the use of a master PWN instance, so you should have applied the
-M
and -m
parameter values prior to beginning this
task.
To secure your Pentaho Worker Nodes configuration, perform the following tasks.
Generate a TrustStore using the HCI System Certificate
Perform the following steps to add the PWN system certificate to a truststore:
Procedure
Verify that the PWN instance and the Pentaho Server are running.
Navigate to the pentaho-server/pentaho-solutions/system/karaf/etc/ directory.
Check that the pentaho.worker.nodes.cfg file exists in the directory. If the file is not found, see Enable Pentaho Worker Nodes.
Create a directory named Security on the Pentaho Server host machine and enter this new Security directory.
Copy the combined.pem file from <install-base-dir>/data/com.hds.ensemble.plugins.service.haproxy/certs/combined.pem and save it in the Security directory.
Open a command line interface (CLI) and enter the following command:
<jre_home>/bin/keytool -importcert -file combined.pem -alias <alias> -storepass <trust_store_password> -keystore <trust_store_name>
Make a note of the absolute path to the truststore file and its password.
You will need to enter this path when you configure the Pentaho Server settings.
Enable secure communication
The following steps detail how to enable and establish a secure communication channel between the Pentaho Server and the Worker Nodes.
Before you begin
Before enabling secure communication, you must complete the required configuration steps so the Pentaho Server can successfully delegate transformation and job executions to the Worker Nodes.
Before completing these tasks, ensure that the following prerequisites are met:
- Start the Foundry product and the Pentaho Server. Both Foundry and the Pentaho Server need to be running for the configuration tasks.
- On the Pentaho Server, navigate to the <pentaho-install-dir>/pentaho-server/pentaho-solutions/system/karaf/etc directory, and verify that the pentaho.worker.nodes.cfg file exists.
- On Foundry, navigate to the
<foundry-install-base-dir>/data/com.pentaho.foundry.contentexecution.service/<guid>/
directory, and verify that the cer-truststore.pem file
exists.NoteOn a multi-instance setup, the CER service is running on only one instance, so the certificate file is located here. It may also be located at <PWN-install-directory>/services/com.pentaho.foundry.plugins.service.contentexecution/1.0/package/certs/
Configure the Content Execution Router on Worker Nodes
Procedure
In the Admin App, navigate to Security Configuration, click the Enable Foundry Authentication check box. By default, authentication is disabled on the Content Execution Router.
. UnderIn the upper-right corner, click Update service to updated the CER with your changes.
Next steps
Configure the Pentaho Server to issue authenticated requests to Pentaho Worker Nodes
Perform the following steps to configure the Pentaho Server to issue authenticated requests:
Procedure
Navigate to the <pentaho-server-install-dir>/pentaho-solutions/system/karaf/etc/ directory and open the pentaho.worker.nodes.cfg file with any text editor.
Perform the following action for each specified property in the file:
Property Action Notes wn-username Set the value to match the username you enter to log on to the Pentaho Worker Nodes Administartion Application at https://< PWN-IP>:8000. wn-password Set the value to match the username you enter to log on to the Pentaho Worker Nodes Administartion Application at https://< PWN-IP>:8000. Enter a plain text password or one encrypted using the Pentaho encryption tool. For more information, see Using the Pentaho encryption tool wn-security-enabled Set the value to true. The default value is false. Save and close the pentaho.worker.nodes.cfg file.
Results
Enabling TLS-SSL communication between the Pentaho Server and Worker Nodes
By default, TLS/SSL is enabled. For the Pentaho Server to establish a communication over TLS/SSL with the Content Execution Router, you first need to provide it with the required certificate.
The Content Execution Router applies a certificate located at the following location on the machine where Foundry is installed: <PWN-install-base-dir>/data/com.pentaho.foundry.plugins.service.contentexecution/<guid>/cer-truststore.pem
Add the Content Execution Router's certificate to a truststore on the Pentaho Server
You can create a truststore using other methods. Use the following steps create a truststore.
Procedure
On the machine where the Pentaho Server is running at, create a directory.
Navigate to the directory and place the product's system certificate in it.
Enter the following command:
<jre_home>/bin/keytool -importcert -file cer-truststore.pem -alias <alias> -storepass <trust_store_password> -keystore <trust_store_name>
When the process is complete, you should have a generated file with the name <trust_store_name>. You can inspect the certificates stored within the file, accessing it with the
<trust_store_password>
.Remember the absolute path to the truststore file and its password so you can set them in the configuration file pentaho.worker.nodes.cfg in the Pentaho Server.
Configure the Pentaho Server to send requests over TLS-SSL to Foundry
Procedure
Navigate to the <pentaho-install-dir>/pentaho-server/pentaho-solutions/system/karaf/etc/ directory and open the pentaho.worker.nodes.cfg file with any text editor.
Perform the following action for each specified property in the file:
Property Action Notes wn-port Set the value to 38443. wn-use-https Set the value to true. wn-trust-store Uncomment the wn-trust-store property and set it to the absolute path of the truststore that holds the Content Execution Router's certificate. For more information about the truststore path, see Add the Content Execution Router's certificate to a truststore on the Pentaho Server. wn-truststore-password Uncomment the wn-truststore-password property and set it to the truststore’s password. For more information about the truststore password, see Add the Content Execution Router's certificate to a truststore on the Pentaho Server. Enter a plain text password or one encrypted using the Pentaho encryption tool. For more information, see Using the Pentaho encryption tool
Save and close the pentaho.worker.nodes.cfg file.
Results
Using the Pentaho encryption tool
Pentaho offers a password encryption tool, available in the following locations:
- In the PDI client, use one
of these scripts:
encr.sh /
orencr.bat
. - In the Pentaho Server,
navigate to the POST /<webapp-name>/api/password/encrypt
directory. This method passes your password in the
password
parameter.
Enable LDAP in Foundry
You can configure security providers on Foundry which validate users against a specified security provider, such as Microsoft Active Directory. The following steps illustrate the example of setting up LDAP for adding an identity provider, assigning roles, and creating groups.
This task assumes you are logged in to the Pentaho Worker Nodes Administration Application.
Procedure
Add an Identity Provider.
Click Configuration and then select Security from the menu that dispays.
In the header, click Identity Providers. Click Create on right side to begin adding an identity provider.
Enter the following information for the settings.
Setting Description LDAP entry Type Enter the type of identity provider you want to use. Active Directory (LDAP) Security Realm Name Enter the name that is displayed as a Security Realm option on the login screen. It is best practice to use a name that your users will recognize. <LDAP-Realm> Description (Optional) Enter a description for the Identity Provider. In the Connection panel, enter the following information in the fields.
Setting Description LDAP entry Identity Provider Hostname * Enter the connection string used to communicate with the identity provider, such as 'provider.example.com'. <LDAP-IP> Transport Security Select the protocol to use for securing communications with the identity provider. You may choose from - None
- TLS Security
- SSL
None Identity Provider Host Port * Select the network port used to communicate with the identity provider. The default value is either '389' or '636'. This selection is dependent on the option selected for the Transport Security setting. <LDAP-Port> User Name * Enter the user credential for authenticating with the identity provider. <LDAP-Username> Password * Enter the password credential for authenticating with the identity provider. <password> Domain Enter the active directory (AD) domain that the user is a member of. Use the short name of the domain to log in using the <DOMAIN/user> format. If you want users to log in just using a user name, leave this field blank. <LDAP-Domain> Search Base DN * Enter the unique name of the location of the identity provider where you want the system to being searching for users and groups. dc=<LDAP-Domain>,dc=com Default Domain Name Enter the domain name which should be used when a user attempts to log in without specifying a domain name. <LDAP-Domain>.com
To verify that a successful connection is made to the identity provider, click Test.
Click Create.
Next, add a Group
In the header, click Groups and then click Discover Groups to open a list of groups.
For LDAP, select <LDAP-Group> and click the Plus Sign to add the group.
Click Create Group.
Next, add Roles.
In the header, click Roles and then enter a the role name.
Click Toggle All and the click Create.
Select the group you want to assign roles, then select the Assign Pentaho Roles check box.
You can now use any user from your <LDAP-Group>.
Enable secure communication on the Pentaho Server
You can add authentication steps for your LDAP configuration on the Pentaho Server by editing the specified properties on pentaho.worker.nodes.cfg.
Procedure
Open the pentaho.worker.nodes.cfg file and specify the LDAP user credentials for the following properties:
wn-username=<LDAP-UserName>
wn-password=<LDAP-Password>
If your user is not part of the Local domain, the open the pentaho.worker.nodes.cfg file and specify the following property:
wn-realm=<LDAP-Realm>
Run and administer the Pentaho Worker Nodes product
Use the following articles to assist you in running and administering Pentaho Worker Nodes: