Skip to main content

Privacera Documentation

Configure SSL for Privacera Platform

You can enable or disable SSL for the following Privacera services:

Add the SSL property of the service you want to configure to the vars.ssl.yml file and set it to true or false.

Note

Support Chain SSL - Preview Functionality

Previously Privacera services were only using one SSL certificate of LDAP server even if a chain of certificates was available. Now as a Preview functionality, all the certificates which are available in the chain certificate are imported it into the truststore. This is added for Privacera usersync, Ranger usersync and portal SSL certificates.

SSL enablement properties

Service

Property

Solr

Note

If you are transitioning a non-SSL Privacera environment, where all Privacera services are running to SSL or vice-versa, then the update process will be 15-30 minutes longer due to the additional Solr transition process.

SOLR_SSL_ENABLE:"true"

AuditServer

AUDITSERVER_SSL_ENABLE:"true"

Portal

PORTAL_SSL_ENABLE:"true"

Grafana

GRAFANA_SSL_ENABLE:"true"

Ranger

RANGER_SSL_ENABLE:"true"

Enable Data Access Server proxy SSL

To enable the Data Access Server proxy with self-signed SSL, set the value of the DATASERVER_PROXY_SSL property to "true":

DATASERVER_PROXY_SSL:"true"

To enable the proxy with signed SSL, follow these steps:

  1. Copy the following keys to ~/privacera/privacera-manager/config/ssl:

    • Signed PEM Full Chain

    • Signed PEM Private Key

  2. Add the following properties:

    DATASERVER_SSL_SELF_SIGNED:"false"
    DATASERVER_HOST_NAME:"<PLEASE_CHANGE>"
    DATASERVER_SSL_SIGNED_PEM_FULL_CHAIN:"<PLEASE_CHANGE>"
    DATASERVER_SSL_SIGNED_PEM_PRIVATE_KEY:"<PLEASE_CHANGE>"
    DATASERVER_SSL_SIGNED_CERT_FORMAT:"<PLEASE_CHANGE>"
  3. (Optional) If your CA certificate is generated with a private key, then copy the Signed Root CA Public Key to the location ~/privacera/privacera-manager/config/ssl and add the following:

    DATASERVER_SSL_SIGNED_ROOT_CA_PUBLIC_KEY:"<PLEASE_CHANGE>"

Disable Data Access Server proxy SSL

To disable the Data Access Server proxy SSL, set the value of DATASERVER_PROXY_SSL to "false".

DATASERVER_PROXY_SSL:"false"

When switching between Data Access Server SSL and non-SSL, or between self-signed and signed, you must remove the previously generated Data Access Server SSL configuration before running the Privacera Manager update.

To remove the previously generated SSL configuration, run the following command:

rm -rf ~/privacera/privacera-manager/config/ssl/dataserver*