Skip to main content

Privacera Platform master publication

Enable CA signed certificates with Privacera Platform
:
Enable CA signed certificates with Privacera Platform

This topic provides instructions for use of CA Signed Certificates with Privacera services including Privacera Portal, Apache Ranger, Apache Ranger KMS, and Privacera Encryption Gateway. It establishes a secure connection between internal Privacera components (Dataserver, Ranger KMS, Discovery, PolicySync, and UserSync) and SSL-enabled servers.

Certificate Authority (CA) or third-party generated certificates must be created for the specific hostname subdomain.

Privacera supports signed certificates as 'pem' files.

CLI configuration
  1. SSH to the instance where Privacera is installed.

  2. Copy the public (ssl_cert_full_chain.pem) and private key (ssl_cert_private_key.pem) files to the ~/privacera/privacera-manager/config/ssl/ location.

  3. Create and open the vars.ssl.yml file.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.ssl.yml config/custom-vars/
    vi config/custom-vars/vars.ssl.yml
    
  4. Set values for the following properties:

    • SSL_SELF_SIGNED: false;

    • SSL_DEFAULT_PASSWORD (Use a strong password with upper and lower case, symbols, and numbers);

    • Uncomment Property/Value pairs and set the appropriate value for:

      #PRIVACERA_PORTAL_KEYSTORE_ALIAS
      
      #PRIVACERA_PORTAL_KEYSTORE_PASSWORD
      
      #PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD
      
      #RANGER_ADMIN_KEYSTORE_ALIAS
      
      #RANGER_ADMIN_KEYSTORE_PASSWORD
      
      #RANGER_ADMIN_TRUSTSTORE_PASSWORD
      
      #DATASERVER_SSL_TRUSTSTORE_PASSWORD
      
      #USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD
      

      If KMS is enabled, uncomment, and set the following:

      >#RANGER_KMS_KEYSTORE_ALIAS
      
      #RANGER_KMS_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #RANGER_KMS_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      

      If PEG enabled, uncomment, and set the following:

      #PEG_KEYSTORE_ALIAS
      
      #PEG_KEYSTORE_PASSWORD
      
      #PEG_TRUSTSTORE_PASSWORD
      
      SSL_SELF_SIGNED: "false"
      SSL_DEFAULT_PASSWORD: "<PLEASE_CHANGE>"
      #SSL_SIGNED_PEM_FULL_CHAIN: "ssl_cert_full_chain.pem"
      #SSL_SIGNED_PEM_PRIVATE_KEY: "ssl_cert_private_key.pem"
      SSL_SIGNED_CERT_FORMAT: "pem"
      
      #PRIVACERA_PORTAL_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #PRIVACERA_PORTAL_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #RANGER_ADMIN_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #RANGER_ADMIN_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #RANGER_ADMIN_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #DATASERVER_SSL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #Below is need only if you have KMS enabled
      #RANGER_KMS_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #RANGER_KMS_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #RANGER_KMS_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #Below is needed only if you have PEG enabled
      #PEG_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #PEG_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #PEG_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
  5. Add domain names for the Privacera services. See Add Domain Names for Privacera Service URLs.

  6. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
  7. For Kubernetes based deployments, restart services:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh restart