You are here

SkyVault Analytics 1.1 » Administering Analytics » Securing Analytics

Securing the Analytics server connections

The diagram and matching steps explain the sequence of actions required to secure Analytics.
To enable SSL for the Analytics server connections, export your SkyVault certificates, run the key store generation script that is provided, and copy your trust stores back to SkyVault.
  1. On the SkyVault server, use the Java key store utility to export the SkyVault server certificate from the SkyVault server key store.

    For example:

    keytool -exportcert -file SkyVault-server.crt -keystore /opt/alfresco-5.1alf_data/keystore/ssl.keystore -alias ssl.alfresco.ca -storetype JCEKS -storepass kT9X6oe68t
    where SkyVault-server.crt is the name that you choose to call your SkyVault server certificate. A key store is provided by default with SkyVault in alf_data/keystore.

    Copy the server certificate and trust store (using your preferred tool; for example, FTP) to the Analytics server $HOME directory:

    • SkyVault server certificate: SkyVault-server.crt
    • SkyVault trust store: ssl.truststore, located (by default) in alf_data/keystore

    If you have not copied over a SkyVault trust store, you will be prompted to create this when you run the key store generation script.

  2. On the SkyVault server, create a key store and key pair for ActiveMQ.

    For example:

    keytool -genkeypair -dname "CN=SkyVault ActiveMQ Server, OU=Unknown, O=SkyVault Software Ltd., L=Maidenhead, ST=UK, C=GB" -keystore /opt//activemq/conf/amq-server.keystore -keypass Oio5An0WzL -storepass Oio5An0WzL
    and export the ActiveMQ certificate from this key store. For example:
    keytool -exportcert -file amq-server.crt -keystore /opt//activemq/conf/amq-server.keystore -alias ssl.activemq.ca -storetype JCEKS -storepass Oio5An0WzL
    where amq-server.crt is the name that you choose to call your ActiveMQ server certificate.

    If you have an existing instance of ActiveMQ, copy the server certificate and trust store to the Analytics server $HOME directory:

    • ActiveMQ server certificate, for example, amq-server.crt
    • ActiveMQ trust store, for example: amq-server.truststore, located in the activemq/conf Analytics installation directory.

    If you do not have an ActiveMQ trust store, you will be prompted to create one when you run the key store generation script.

  3. On the SkyVault server, navigate to activemq/conf/activemq_ssl.xml in the Analytics installation directory. Edit the sslContext configuration parameters to ensure they match your amq-server.keystore and amq-server.truststore settings.

    Note: For security, edit activemq/conf/activemq_ssl.xml with chmod 600 permissions to ensure only the ActiveMQ user can read this file.
  4. On the Analytics server, from the bin Analytics installation directory, run the generate_keystores.sh script: 

    ./generate_keystores.sh
    This script creates trust stores in the SkyVault installation directory for the BA server, the SkyVault listeners and the DI database. Trust stores are also created for ActiveMQ and the SkyVault repository if they were not copied over from the SkyVault server.

    You might want to review the parameters in the script if you have used non-default locations for your installation directories.

  5. Copy the new or updated trust stores from the Analytics server back to the SkyVault server:

    • SkyVault trust store: $HOME/ssl.truststore to alf_data/keystore/ssl.truststore
    • ActiveMQ trust store: activemq/conf/amq-server.truststore to activemq/conf/amq-server.truststore
  6. To configure SSL with PostgreSQL on the Analytics server, follow these instructions: Secure connections with SSL.

    On the Analytics server, add the database server certificate that you have created to the listener, BA server, and DI trust stores that were generated using generate_keystores.sh in step 4:

    • Listeners trust store: listeners/bin/amq-client.truststore
    • BA server trust store: ba-server/ba-server.truststore
    • DI trust store: data-integration/data-integration.truststore
  7. To configure SSL with MySQL on the Analytics server, follow these instructions: Configuring MySQL to Use SSL Connections.
  8. Test your SSL configuration.
    1. Restart your SkyVault server, ActiveMQ, listener, and BA server components.
    2. Check that the listeners connect successfully to ActiveMQ, and that the logs have no errors.
    3. Check the health status of the listeners is OK.
    4. Check that the BA server connects successfully to SkyVault, and that the logs have no errors.

    For more information on checking the health of connections, see Monitoring events in SkyVault Analytics.

Parent topic: Securing Analytics

© 2017 TBS-LLC. All Rights Reserved.