Skip to main content

Privacera Documentation

Enable CA-signed certificates on Privacera Platform

You can use CA-signed certificates with Privacera services, including Privacera Portal, Apache Ranger, Apache Ranger KMS, and Privacera Encryption Gateway. CA-signed certificates establish a secure connection between internal Privacera components (Data Access Server, Ranger KMS, Discovery, PolicySync, and UserSync) and SSL-enabled servers.

Certificates generated by a Certificate Authority (CA) or third-party must be created for the specific hostname subdomain.

Privacera supports signed certificates as 'pem' files.

To enable CA-signed certificates on Privacera Platform, follow these steps:

  1. SSH to the instance where Privacera is installed.

  2. Copy the public (ssl_cert_full_chain.pem) and private key (ssl_cert_private_key.pem) files to ~/privacera/privacera-manager/config/ssl/.

  3. Create and open the vars.ssl.yml file.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.ssl.yml config/custom-vars/
    vi config/custom-vars/vars.ssl.yml
    
  4. Set values for the following properties:

    1. SSL_SELF_SIGNED: false;

    2. SSL_DEFAULT_PASSWORD (Use a strong password with upper and lower case, symbols, and numbers);

    3. Uncomment the property/value pairs and set the appropriate value for:

      #PRIVACERA_PORTAL_KEYSTORE_ALIAS
      
      #PRIVACERA_PORTAL_KEYSTORE_PASSWORD
      
      #PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD
      
      #RANGER_ADMIN_KEYSTORE_ALIAS
      
      #RANGER_ADMIN_KEYSTORE_PASSWORD
      
      #RANGER_ADMIN_TRUSTSTORE_PASSWORD
      
      #DATASERVER_SSL_TRUSTSTORE_PASSWORD
      
      #USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD
    4. If KMS is enabled, uncomment and set the following:

      #RANGER_KMS_KEYSTORE_ALIAS
      
      #RANGER_KMS_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #RANGER_KMS_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
    5. If PEG is enabled, uncomment and set the following:

      #PEG_KEYSTORE_ALIAS
      
      #PEG_KEYSTORE_PASSWORD
      
      #PEG_TRUSTSTORE_PASSWORD
      
      SSL_SELF_SIGNED: "false"
      SSL_DEFAULT_PASSWORD: "<PLEASE_CHANGE>"
      #SSL_SIGNED_PEM_FULL_CHAIN: "ssl_cert_full_chain.pem"
      #SSL_SIGNED_PEM_PRIVATE_KEY: "ssl_cert_private_key.pem"
      SSL_SIGNED_CERT_FORMAT: "pem"
      
      #PRIVACERA_PORTAL_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #PRIVACERA_PORTAL_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #RANGER_ADMIN_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #RANGER_ADMIN_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #RANGER_ADMIN_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #DATASERVER_SSL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #Below is need only if you have KMS enabled
      #RANGER_KMS_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #RANGER_KMS_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #RANGER_KMS_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #Below is needed only if you have PEG enabled
      #PEG_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #PEG_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #PEG_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
  5. Add domain names for Privacera services. See Add domain names for Privacera service URLs on Privacera Platform.

  6. Run the following commands:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
  7. For Kubernetes based deployments, restart services:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh restart