Assumptions
Clockspring is currently configured to use https with single-user authentiation. If a multi-user configuration is already in place, be sure that the changes below don’t impact that authentication process.
Create the Keystore
Become the clockspring user
sudo su - clockspring
Change directories to /opt/clockspring/certificates
cd /opt/clockspring/certificates
Now we’ll create a new Java keystore and private key using the keytool command. Please update the san=dns: section to include the system’s hostname and update the ip: with the system’s IP address.
keytool -genkey -keystore keystore.jks -storetype jks -alias clockspring-tls -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 2048 -ext san=dns:<FQDN>,ip:<IP ADDRESS>
Complete the private key generation process. A sample of responses is shown below.
| The "first and last name" should be the exact fully qualified hostname of your Clockspring instance |
Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: clockspring.dev.clockspring.net What is the name of your organizational unit? [Unknown]: Clockspring What is the name of your organization? [Unknown]: Clockspring What is the name of your City or Locality? [Unknown]: Oxon Hill What is the name of your State or Province? [Unknown]: MD What is the two-letter country code for this unit? [Unknown]: US Is CN=clockspring.dev.clockspring.net, OU=Clockspring, O=Clockspring, L=Oxon Hill, ST=MD, C=US correct? [no]: yes
Generate the Certificate Signing request
This is used to send to your certificate authority to receive a signed certificate.
keytool -certreq -alias clockspring-tls -keystore keystore.jks -storetype jks -file clockspring.csr -ext san=dns:<FQDN>,ip:<IP ADDRESS>
Submit the generated CSR to your certificate authority. Continue to the next step once a valid certificate has been returned
Install the Certificate
As the clockspring user, save the returned certificate in the /opt/clockspring/certificates/ folder.
| This guide assumes that the certificate name is clockspring.crt |
Change directories to /opt/clockspring/certificates
cd /opt/clockspring/certificates
First import the certificates of the CA which signed the certificate. Typically, this will be the Root CA Cert and the Intermediate CA Cert from the Certificate Authority. Your environment may have more or less certificates to load in the chain and filenames may be different
keytool -import -trustcacerts -alias rootCA -file rootCA.crt -keystore keystore.jks keytool -import -trustcacerts -alias intermediateCA -file intermediateCA.crt -keystore keystore.jks
Test the chain:
openssl verify -verbose -CAfile <(cat intermediateCA.crt rootCA.crt) clockspring.crt
This command should return a message similar to the below. If this fails, then double check that the certs installed are correct.
clockspring.crt: OK
Once the CA certs are imported the clockspring certificate can be imported:
keytool -import -trustcacerts -alias clockspring-tls -file clockspring.crt -keystore keystore.jks
Update ../conf/clockspring.properties to include the new certificate information:
nifi.security.keystore=./certificates/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=<password> nifi.security.keyPasswd=<password>
Add certs to operating system
If your operating system is not already configured to trust the CA chain we used above then these need to be added.
Install the ca-certificates package
sudo yum install ca-certificates
Enable the dynamic CA configuration feature
sudo update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors
cd /opt/clockspring/certificates
sudo cp rootCA.crt intermediateCA.crt /etc/pki/ca-trust/source/anchors/
Use command
sudo update-ca-trust extract
Restart the Clockspring application
sudo systemctl restart clockspring
Browsing to Clockspring should now show a signed certificate from your CA at: https://<clockspring_hostname>:8443/canvas
Optional: Encrypt configuration files
Clockspring can encrypt the configuration files used by the application so that no cleartext passwords are found in the files. This is an optional, but recommended, step that can help increase security after setting up the platform.
The encryption script can be found at /opt/clockspring/bin/encrypt-config.sh
You can run the encrypt-config.sh script with the -h option to see the full help message.
To encrypt the clockspring.properties file in the default locations, run:
/opt/clockspring/bin/encrypt-config.sh -n /opt/clockspring/conf/clockspring.properties -b /opt/clockspring/conf/bootstrap.conf
You can also add the -l argument to encrypt the login-identity-providers.xml file and/or the -a argument to encrypt the authorizers.xml file.