Configuring and Installing an SSL Certificate for the Team Studio Server (Manual)

Configuring Team Studio with an SSL certificate is a good practice. This procedure shows you how to generate an SSL certificate with OpenSSL.

1. Generate an RSA private key.

   openssl genrsa -des3 -out server.key 1024

2. Generate a certificate signing request (CSR).

   openssl req -new -key server.key -out server.csr

3. Respond to the questions as shown in this example:

   What is your first and last name?
   [Unknown]:  chorus-ga.greenplum.com
   Note: Enter the URL for Chorus.
   What is the name of your organizational unit?
   [Unknown]:  Data and Insights
   What is the name of your organization?
   [Unknown]:  Greenplum
   What is the name of your City or Locality?
   [Unknown]:  San Mateo
   What is the name of your State or Province?
   [Unknown]:  California
   What is the two-letter country code for this unit?
   [Unknown]:  US
   Is CN=chorus-ga.greenplum.com, OU=Data and Insights,
   O=Greenplum, L=San Mateo, ST=California, C=US correct?
   [no]:  yes
   Enter key password for <chorus>
       (RETURN if same as keystore password.)

4. Enter a common name that is the fully qualified domain name (FQDN) of your server, or the value localhost.
5. Remove the passphrase from the key.

   cp server.key server.key.org
   openssl rsa -in server.key.org -out server.key

   Without this step, you must type the password you created in step 1 each time you start Team Studio.

6. Generate a self-signed certificate from the CSR.

   openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
   

   If you want an official SSL certificate (recommended), submit this CSR to a signing authority such as Thawte or Verisign and continue to the next step when you have the certificate (.crt) file.

7. Install the private key and certificate into Team Studio.
   Set the following properties in chorus.properties to point to the locations of your private key and certificate files:

   ssl.enabled= true
   ssl_server_port= 8443
   ssl_certificate= /usr/local/chorus/current/config/test.crt
   ssl_certificate_key= /usr/local/chorus/current/config/test.key
   public_url = nate.alpinedata.com

8. Verify that the public_url matches the FQDN you specified for the certificate in step 2.
9. Restart Team Studio to apply the configuration.
   Note: To run Team Studio on port 443 (the default SSL port, for example, https://hostname:443), set up a web server proxy to Team Studio.
10. Create a Java TrustStore.

    $JAVA_HOME/bin/keytool -import -file server.crt -alias localhost

    If this is the first time you are running the keytool utility, you are prompted to create a password.

11. Open $CHORUS_HOME/shared/ALPINE_DATA_REPOSITORY/configuration/deploy.properties.
12. Locate the line starting with alpine.catalina.opts, and append the following text to the end of the line:

    -Djavax.net.ssl.trustStore=/home/chorus/.keystore -Djavax.net.ssl.trustStorePassword=changethis

    The TrustStore location is in the user's home directory by default. In this case, the user is chorus. The trustStorePassword should match the password you set in step 7.

13. Open $CHORUS_HOME/shared/ALPINE_DATA_REPOSITORY/configuration/agent-jetty.ini and add the following lines:

    -Djavax.net.ssl.trustStore=/home/chorus/.keystore
    -Djavax.net.ssl.trustStorePassword=changethis

    with the same store location and password as the deploy.properties file.

14. Save and close the agent-jetty.ini file.
15. Open the alpine.conf file for editing, and then locate and modify the following lines:

    chorus {
            active = true
            scheme = HTTPS
            host = nate.alpinedata.com
            port = 8443
            }

    The scheme should be HTTPS to indicate the use of HTTPS instead of HTTP. The host should match the common name you specified when generating the certificate. This is typically the hostname of the server or localhost. The port is the value specified as the SSL port in chorus.properties - by default, this is 8443. These values must match.

16. Start or restart all services using chorus_control.sh restart.