The server certificate generated by the QueryGrid Manager REST API interface is internally generated and not signed by a Trusted Certificate Authority. You can install a custom server certificate that is signed by a Trusted Certificate Authority to create a secure environment when accessing the REST API.
The following is required to install a custom certificate:
- The certificate must be in PKCS12 or JKS keystore format.
- The Java keytool can be used to generate or import a certificate into the JKS keystore format
- OpenSSL can be used to generate or export a certificate into PKCS12 format
- The Subject Alternative Names must include the hostnames and IP addresses that will be used by Viewpoint or other REST API clients to access QueryGrid Manager.
This includes the QueryGrid Manager public address that can be viewed in the Viewpoint QueryGrid portlet.
- Generate and convert the certificate into the proper format (PKCS12 or JKS).
- Copy the certificate to the selected QueryGrid Manager for installation at a location accessible by the tdqgm user.
- Log into the QueryGrid Manager shell.
- Set the working directory: cd /opt/teradata/tdqgm/bin
- Run the ./set-cert.sh certfile command as either the root or tdqgm user, where certfile is the location of the custom JKS or PKCS12 keystore certificate.
- Answer the prompts with additional information such as keystore password, key password, or certificate alias.
At the prompt, provide confirmation to continue and wait for a successful restart of the QueryGrid Manager.
tdqgm1:/opt/teradata/tdqgm/bin # ./set-cert.sh mycert Starting set-cert command, just a moment... Enter the key store password: ******** Using certificate "custom". A restart of QueryGrid Manager is required to use the new certificate. Are you sure you want to install a custom certificate for port 9443? [y/n]: y Stopping QueryGrid Manager... Starting QueryGrid Manager... QueryGrid Manager started successfully. Use a browser to connect to https://sdlc6925.labs.teradata.com:9443/ and verify the certificate is working. To unset the certificate you can use the "set-cert.sh -u" command set-cert command successful.
- After restart, Viewpoint may need to be configured to trust the new certificate. If the JKS or PKCS12 keystore does not contain the full certificate chain, then the CA certificate must be added using the A file with a PEM or DER encoded certificate option.
- [Optional] To uninstall a custom certificate and revert back to the default certificate, run the following command: ./set-cert.sh -u