Security: HTTPS SemTK Services - ge-semtk/semtk GitHub Wiki

This page describes how to configure the SemTK Services to run using HTTPS instead of HTTP.

Configure SemTK Services to accept HTTPS requests

Set these environment variables in semtk-opensource/ENV_OVERRIDE:

export SSL_ENABLED=true
export SSL_KEY_STORE_TYPE=PKCS12
export SSL_KEY_STORE=/path/to/keystore/keystore.p12
export SSL_KEY_STORE_PASSWORD=whatever

## for CURL command to check if the services are up
export no_proxy=localhost,127.0.0.1,.ge.com

To confirm that services are starting up with HTTPS settings, check the service logs at startup time:

2018-10-15 11:40:33 ----- PROPERTIES: --------------------
...
2018-10-15 11:40:33 ssl.enabled: true
...
2018-10-15 11:40:34 --------------------------------------

Configure SemTK Java clients to make HTTPS calls

Override $SERVICE_PROTOCOL (and all environment variables that depend on it) in semtk-opensource/ENV_OVERRIDE:

export SERVICE_PROTOCOL=https
export SPARQLQUERY_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export STATUS_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export RESULTS_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export DISPATCH_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export HIVE_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUPSTORE_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export ONTOLOGYINFO_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUPEXECUTION_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUP_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export INGESTION_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export LOGGING_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}

export resultsBaseURL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}
export resultsServiceURL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}/results

export INGEST_URL=${SERVICE_PROTOCOL}://${INGESTION_SERVICE_HOST}:${PORT_INGESTION_SERVICE}/ingestion/
export QUERY_URL=${SERVICE_PROTOCOL}://${SPARQLQUERY_SERVICE_HOST}:${PORT_SPARQL_QUERY_SERVICE}/sparqlQueryService/
export STATUS_URL=${SERVICE_PROTOCOL}://${STATUS_SERVICE_HOST}:${PORT_SPARQLGRAPH_STATUS_SERVICE}/status/
export RESULTS_URL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}/results/
export DISPATCHER_URL=${SERVICE_PROTOCOL}://${DISPATCH_SERVICE_HOST}:${PORT_DISPATCH_SERVICE}/dispatcher/
export HIVE_URL=${SERVICE_PROTOCOL}://${HIVE_SERVICE_HOST}:${PORT_HIVE_SERVICE}/hiveService/
export NGSTORE_URL=${SERVICE_PROTOCOL}://${NODEGROUPSTORE_SERVICE_HOST}:${PORT_NODEGROUPSTORE_SERVICE}/nodeGroupStore/
export OINFO_URL=${SERVICE_PROTOCOL}://${ONTOLOGYINFO_SERVICE_HOST}:${PORT_ONTOLOGYINFO_SERVICE}/ontologyinfo/
export NGEXEC_URL=${SERVICE_PROTOCOL}://${NODEGROUPEXECUTION_SERVICE_HOST}:${PORT_NODEGROUPEXECUTION_SERVICE}/nodeGroupExecution/
export NG_URL=${SERVICE_PROTOCOL}://${NODEGROUP_SERVICE_HOST}:${PORT_NODEGROUP_SERVICE}/nodeGroup/

export WEB_PROTOCOL=${SERVICE_PROTOCOL}

To confirm that clients are using HTTPS to make service calls, look for entries like this in the logs:

2018-10-15 11:47:24 Connecting to: https://host:12051/status/setPercentComplete

Note: the CURL command in startServices.sh uses the --insecure option, which makes it perform encryption only (while skipping certificate validation)