Skip to main content
Pentaho Documentation

Enabling secure communication for Pentaho Worker Nodes

When setting up Pentaho Worker Nodes on a single instance, be sure to follow the steps for the secure setup in Running the setup script task. Secure mode requires the use of a master PWN instance, so you should have applied the -M and -m parameter values prior to beginning this task.

To secure your Pentaho Worker Nodes configuration, perform the following tasks.

Generate a TrustStore using the HCI System Certificate

Pentaho Worker Nodes comes with its own self-signed certificate, which is generated and installed automatically during system installation. You must provide this certificate to complete the trust relationship between PWN and the Pentaho Server for TLS/SSL communication.

Perform the following steps to add the PWN system certificate to a truststore:

Procedure

  1. Verify that the PWN instance and the Pentaho Server are running.

    1. Navigate to the pentaho-server/pentaho-solutions/system/karaf/etc/ directory.

    2. Check that the pentaho.worker.nodes.cfg file exists in the directory. If the file is not found, see Enable Pentaho Worker Nodes.

  2. Create a directory named Security on the Pentaho Server host machine and enter this new Security directory.

  3. Copy the combined.pem file from <install-base-dir>/data/com.hds.ensemble.plugins.service.haproxy/certs/combined.pem and save it in the Security directory.

  4. Open a command line interface (CLI) and enter the following command:

    <jre_home>/bin/keytool -importcert -file combined.pem -alias <alias> -storepass <trust_store_password> -keystore <trust_store_name>
  5. Make a note of the absolute path to the truststore file and its password.

    You will need to enter this path when you configure the Pentaho Server settings.

Enable secure communication

The following steps detail how to enable and establish a secure communication channel between the Pentaho Server and the Worker Nodes.

Before you begin

Before enabling secure communication, you must complete the required configuration steps so the Pentaho Server can successfully delegate transformation and job executions to the Worker Nodes.

Before completing these tasks, ensure that the following prerequisites are met:

  1. Start the Foundry product and the Pentaho Server. Both Foundry and the Pentaho Server need to be running for the configuration tasks.
  2. On the Pentaho Server, navigate to the <pentaho-install-dir>/pentaho-server/pentaho-solutions/system/karaf/etc directory, and verify that the pentaho.worker.nodes.cfg file exists.
  3. On Foundry, navigate to the <foundry-install-base-dir>/data/com.pentaho.foundry.contentexecution.service/<guid>/ directory, and verify that the cer-truststore.pem file exists.
    NoteOn a multi-instance setup, the CER service is running on only one instance, so the certificate file is located here. It may also be located at <PWN-install-directory>/services/com.pentaho.foundry.plugins.service.contentexecution/1.0/package/certs/

Configure the Content Execution Router on Worker Nodes

To configure the Content Execution Router (CER) in the Pentaho Worker Nodes, perform the following steps. This task assumes you are logged on to the Pentaho Worker Nodes Administration Application.

Procedure

  1. In the Admin App, navigate to Services Content Execution Router. Under Security Configuration, click the Enable Foundry Authentication check box. By default, authentication is disabled on the Content Execution Router.

  2. In the upper-right corner, click Update service to updated the CER with your changes.

Next steps

After the Enable Foundry Authentication property is activated, ensure that all incoming requests coming into the CER through the REST API have the Authentication-Header defined with the proper credentials to authenticate the request. These credentials should match the Foundry credentials used to log on to the Administration App at https://<PWN-IP>:8000.

Configure the Pentaho Server to issue authenticated requests to Pentaho Worker Nodes

Procedure

  1. Navigate to the <pentaho-server-install-dir>/pentaho-solutions/system/karaf/etc/ directory and open the pentaho.worker.nodes.cfg file with any text editor.

  2. Perform the following action for each specified property in the file:

    PropertyActionNotes
    wn-usernameSet the value to match the username you enter to log on to the Pentaho Worker Nodes Administartion Application at https://< PWN-IP>:8000.
    wn-passwordSet the value to match the username you enter to log on to the Pentaho Worker Nodes Administartion Application at https://< PWN-IP>:8000.Enter a plain text password or one encrypted using the Pentaho encryption tool. For more information, see Using the Pentaho encryption tool
    wn-security-enabledSet the value to true. The default value is false.
  3. Save and close the pentaho.worker.nodes.cfg file.

Results

Your file changes are immediately active. You do not need to restart the Pentaho Server.

Enabling TLS-SSL communication between the Pentaho Server and Worker Nodes

By default, TLS/SSL is enabled. For the Pentaho Server to establish a communication over TLS/SSL with the Content Execution Router, you first need to provide it with the required certificate.

The Content Execution Router applies a certificate located at the following location on the machine where Foundry is installed: <PWN-install-base-dir>/data/com.pentaho.foundry.plugins.service.contentexecution/<guid>/cer-truststore.pem

NoteIf you want to use your own certificate, copy it to <PWN-install-base-dir>/data/com.pentaho.foundry.plugins.service.contentexecution/<guid>/ using the same name "cer-truststore.pem".

Add the Content Execution Router's certificate to a truststore on the Pentaho Server

You can create a truststore using other methods. Use the following steps create a truststore.

NoteThe network hostnames for all nodes in the cluster must be able to use the host name value and resolve with a "ping" to an IP address.

Procedure

  1. On the machine where the Pentaho Server is running at, create a directory.

  2. Navigate to the directory and place the product's system certificate in it.

  3. Enter the following command: <jre_home>/bin/keytool -importcert -file cer-truststore.pem -alias <alias> -storepass <trust_store_password> -keystore <trust_store_name>

  4. When the process is complete, you should have a generated file with the name <trust_store_name>. You can inspect the certificates stored within the file, accessing it with the <trust_store_password>.

  5. Remember the absolute path to the truststore file and its password so you can set them in the configuration file pentaho.worker.nodes.cfg in the Pentaho Server.

Configure the Pentaho Server to send requests over TLS-SSL to Foundry

This task assumes you are on the Pentaho Server.

Procedure

  1. Navigate to the <pentaho-install-dir>/pentaho-server/pentaho-solutions/system/karaf/etc/ directory and open the pentaho.worker.nodes.cfg file with any text editor.

  2. Perform the following action for each specified property in the file:

    PropertyActionNotes
    wn-portSet the value to 38443.
    wn-use-httpsSet the value to true.
    wn-trust-storeUncomment the wn-trust-store property and set it to the absolute path of the truststore that holds the Content Execution Router's certificate.For more information about the truststore path, see Add the Content Execution Router's certificate to a truststore on the Pentaho Server.
    wn-truststore-passwordUncomment the wn-truststore-password property and set it to the truststore’s password.For more information about the truststore password, see Add the Content Execution Router's certificate to a truststore on the Pentaho Server.

    Enter a plain text password or one encrypted using the Pentaho encryption tool. For more information, see Using the Pentaho encryption tool

  3. Save and close the pentaho.worker.nodes.cfg file.

Results

Your file changes are immediately active. You do not need to restart the Pentaho Server.

Using the Pentaho encryption tool

Pentaho offers a password encryption tool, available in the following locations:

  • In the PDI client, use one of these scripts: encr.sh / or encr.bat.
  • In the Pentaho Server, navigate to the POST /<webapp-name>/api/password/encrypt directory. This method passes your password in the password parameter.

Enable LDAP in Foundry

Before setting up LDAP in Foundry, you must complete the previous configuration steps for secure communication.

You can configure security providers on Foundry which validate users against a specified security provider, such as Microsoft Active Directory. The following steps illustrate the example of setting up LDAP for adding an identity provider, assigning roles, and creating groups.

This task assumes you are logged in to the Pentaho Worker Nodes Administration Application.

Procedure

  1. Add an Identity Provider.

    1. Click Configuration and then select Security from the menu that dispays.

    2. In the header, click Identity Providers. Click Create on right side to begin adding an identity provider.

    3. Enter the following information for the settings.

      SettingDescriptionLDAP entry
      TypeEnter the type of identity provider you want to use.Active Directory (LDAP)
      Security Realm NameEnter the name that is displayed as a Security Realm option on the login screen. It is best practice to use a name that your users will recognize. <LDAP-Realm>
      Description(Optional) Enter a description for the Identity Provider.
    4. In the Connection panel, enter the following information in the fields.

      SettingDescriptionLDAP entry
      Identity Provider Hostname *Enter the connection string used to communicate with the identity provider, such as 'provider.example.com'.<LDAP-IP>
      Transport SecuritySelect the protocol to use for securing communications with the identity provider. You may choose from
      • None
      • TLS Security
      • SSL
      None
      Identity Provider Host Port *Select the network port used to communicate with the identity provider. The default value is either '389' or '636'. This selection is dependent on the option selected for the Transport Security setting.<LDAP-Port>
      User Name *Enter the user credential for authenticating with the identity provider.<LDAP-Username>
      Password *Enter the password credential for authenticating with the identity provider.<password>
      DomainEnter the active directory (AD) domain that the user is a member of. Use the short name of the domain to log in using the <DOMAIN/user> format. If you want users to log in just using a user name, leave this field blank.<LDAP-Domain>
      Search Base DN *Enter the unique name of the location of the identity provider where you want the system to being searching for users and groups.dc=<LDAP-Domain>,dc=com
      Default Domain NameEnter the domain name which should be used when a user attempts to log in without specifying a domain name. <LDAP-Domain>.com
  2. To verify that a successful connection is made to the identity provider, click Test.

  3. Click Create.

  4. Next, add a Group

    1. In the header, click Groups and then click Discover Groups to open a list of groups.

    2. For LDAP, select <LDAP-Group> and click the Plus Sign to add the group.

    3. Click Create Group.

  5. Next, add Roles.

    1. In the header, click Roles and then enter a the role name.

    2. Click Toggle All and the click Create.

  6. Select the group you want to assign roles, then select the Assign Pentaho Roles check box.

    You can now use any user from your <LDAP-Group>.

Enable secure communication on the Pentaho Server

You can add authentication steps for your LDAP configuration on the Pentaho Server by editing the specified properties on pentaho.worker.nodes.cfg.

Procedure

  1. Open the pentaho.worker.nodes.cfg file and specify the LDAP user credentials for the following properties:

    • wn-username=<LDAP-UserName>
    • wn-password=<LDAP-Password>
  2. If your user is not part of the Local domain, the open the pentaho.worker.nodes.cfg file and specify the following property:

    • wn-realm=<LDAP-Realm>
    For example, your Local domain user would be your Foundry Admin App user.