Skip to content

Enable CA Signed Certificates with Privacera Platform#

This topic provides instructions for use of CA Signed Certificates with Privacera services including Privacera Portal, Apache Ranger, Apache Ranger KMS, and Privacera Encryption Gateway. It establishes a secure connection between internal Privacera components (Dataserver, Ranger KMS, Discovery, PolicySync, and UserSync) and SSL-enabled servers.

Certificate Authority (CA) or third-party generated certificates must be created for the specific hostname subdomain.

Privacera supports signed certificates as 'pem' files.

Copy the public and private key files to:

  • ~/privacera/privacera-manager/config/ssl/ssl_cert_full_chain.pem
  • ~/privacera/privacera-manager/config/ssl/ssl_cert_private_key.pem

Configuration

  1. SSH to the instance as ${USER}.

  2. Create and open the vars.ssl.yml file.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.ssl.yml config/custom-vars/
    vi config/custom-vars/vars.ssl.yml
    
  3. Set values for the following properties:

    • SSL_SELF_SIGNED:  false;
    • SSL_DEFAULT_PASSWORD (Use a strong password with upper and lower case, symbols, and numbers);
    • Uncomment Property/Value pairs and set the appropriate value for:

      #PRIVACERA_PORTAL_KEYSTORE_ALIAS
      
      #PRIVACERA_PORTAL_KEYSTORE_PASSWORD
      
      #PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD
      
      #RANGER_ADMIN_KEYSTORE_ALIAS
      
      #RANGER_ADMIN_KEYSTORE_PASSWORD
      
      #RANGER_ADMIN_TRUSTSTORE_PASSWORD
      
      #DATASERVER_SSL_TRUSTSTORE_PASSWORD
      
      #USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD
      

      If KMS is enabled, uncomment, and set the following:

      #RANGER_KMS_KEYSTORE_ALIAS
      
      #RANGER_KMS_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #RANGER_KMS_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      

      If PEG enabled, uncomment, and set the following:

      #PEG_KEYSTORE_ALIAS
      
      #PEG_KEYSTORE_PASSWORD
      
      #PEG_TRUSTSTORE_PASSWORD
      
      SSL_SELF_SIGNED: "false"
      SSL_DEFAULT_PASSWORD: "<PLEASE_CHANGE>"
      #SSL_SIGNED_PEM_FULL_CHAIN: "ssl_cert_full_chain.pem"
      #SSL_SIGNED_PEM_PRIVATE_KEY: "ssl_cert_private_key.pem" 
      SSL_SIGNED_CERT_FORMAT: "pem"
      
      #PRIVACERA_PORTAL_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #PRIVACERA_PORTAL_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #RANGER_ADMIN_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #RANGER_ADMIN_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #RANGER_ADMIN_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #DATASERVER_SSL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #Below is need only if you have KMS enabled
      #RANGER_KMS_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #RANGER_KMS_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #RANGER_KMS_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      
      #Below is needed only if you have PEG enabled
      #PEG_KEYSTORE_ALIAS: "<PLEASE_CHANGE>"
      #PEG_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
      #PEG_TRUSTSTORE_PASSWORD: "<PLEASE_CHANGE>"
      

      Save and exit.

  4. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
  5. For Kubernetes based deployments, restart services:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh restart
    

Last update: August 17, 2021