Security: HTTPS SemTK Services - ge-semtk/semtk GitHub Wiki
This page describes how to configure the SemTK Services to run using HTTPS instead of HTTP.
Configure SemTK Services to accept HTTPS requests
Set these environment variables in semtk-opensource/ENV_OVERRIDE:
export SSL_ENABLED=true
export SSL_KEY_STORE_TYPE=PKCS12
export SSL_KEY_STORE=/path/to/keystore/keystore.p12
export SSL_KEY_STORE_PASSWORD=whatever
## for CURL command to check if the services are up
export no_proxy=localhost,127.0.0.1,.ge.com
To confirm that services are starting up with HTTPS settings, check the service logs at startup time:
2018-10-15 11:40:33 ----- PROPERTIES: --------------------
...
2018-10-15 11:40:33 ssl.enabled: true
...
2018-10-15 11:40:34 --------------------------------------
Configure SemTK Java clients to make HTTPS calls
Override $SERVICE_PROTOCOL (and all environment variables that depend on it) in semtk-opensource/ENV_OVERRIDE:
export SERVICE_PROTOCOL=https
export SPARQLQUERY_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export STATUS_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export RESULTS_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export DISPATCH_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export HIVE_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUPSTORE_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export ONTOLOGYINFO_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUPEXECUTION_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUP_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export INGESTION_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export LOGGING_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export resultsBaseURL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}
export resultsServiceURL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}/results
export INGEST_URL=${SERVICE_PROTOCOL}://${INGESTION_SERVICE_HOST}:${PORT_INGESTION_SERVICE}/ingestion/
export QUERY_URL=${SERVICE_PROTOCOL}://${SPARQLQUERY_SERVICE_HOST}:${PORT_SPARQL_QUERY_SERVICE}/sparqlQueryService/
export STATUS_URL=${SERVICE_PROTOCOL}://${STATUS_SERVICE_HOST}:${PORT_SPARQLGRAPH_STATUS_SERVICE}/status/
export RESULTS_URL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}/results/
export DISPATCHER_URL=${SERVICE_PROTOCOL}://${DISPATCH_SERVICE_HOST}:${PORT_DISPATCH_SERVICE}/dispatcher/
export HIVE_URL=${SERVICE_PROTOCOL}://${HIVE_SERVICE_HOST}:${PORT_HIVE_SERVICE}/hiveService/
export NGSTORE_URL=${SERVICE_PROTOCOL}://${NODEGROUPSTORE_SERVICE_HOST}:${PORT_NODEGROUPSTORE_SERVICE}/nodeGroupStore/
export OINFO_URL=${SERVICE_PROTOCOL}://${ONTOLOGYINFO_SERVICE_HOST}:${PORT_ONTOLOGYINFO_SERVICE}/ontologyinfo/
export NGEXEC_URL=${SERVICE_PROTOCOL}://${NODEGROUPEXECUTION_SERVICE_HOST}:${PORT_NODEGROUPEXECUTION_SERVICE}/nodeGroupExecution/
export NG_URL=${SERVICE_PROTOCOL}://${NODEGROUP_SERVICE_HOST}:${PORT_NODEGROUP_SERVICE}/nodeGroup/
export WEB_PROTOCOL=${SERVICE_PROTOCOL}
To confirm that clients are using HTTPS to make service calls, look for entries like this in the logs:
2018-10-15 11:47:24 Connecting to: https://host:12051/status/setPercentComplete
Note: the CURL command in startServices.sh uses the --insecure option, which makes it perform encryption only (while skipping certificate validation)