Security: HTTPS SemTK Services
This page describes how to configure the SemTK Services to run using HTTPS instead of HTTP.
Set these environment variables in semtk-opensource/ENV_OVERRIDE:
export SSL_ENABLED=true
export SSL_KEY_STORE_TYPE=PKCS12
export SSL_KEY_STORE=/path/to/keystore/keystore.p12
export SSL_KEY_STORE_PASSWORD=whatever
## for CURL command to check if the services are up
export no_proxy=localhost,127.0.0.1,.ge.com
To confirm that services are starting up with HTTPS settings, check the service logs at startup time:
2018-10-15 11:40:33 ----- PROPERTIES: --------------------
...
2018-10-15 11:40:33 ssl.enabled: true
...
2018-10-15 11:40:34 --------------------------------------
Override $SERVICE_PROTOCOL (and all environment variables that depend on it) in semtk-opensource/ENV_OVERRIDE:
export SERVICE_PROTOCOL=https
export SPARQLQUERY_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export STATUS_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export RESULTS_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export DISPATCH_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export HIVE_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUPSTORE_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export ONTOLOGYINFO_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUPEXECUTION_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export NODEGROUP_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export INGESTION_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export LOGGING_SERVICE_PROTOCOL=${SERVICE_PROTOCOL}
export resultsBaseURL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}
export resultsServiceURL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}/results
export INGEST_URL=${SERVICE_PROTOCOL}://${INGESTION_SERVICE_HOST}:${PORT_INGESTION_SERVICE}/ingestion/
export QUERY_URL=${SERVICE_PROTOCOL}://${SPARQLQUERY_SERVICE_HOST}:${PORT_SPARQL_QUERY_SERVICE}/sparqlQueryService/
export STATUS_URL=${SERVICE_PROTOCOL}://${STATUS_SERVICE_HOST}:${PORT_SPARQLGRAPH_STATUS_SERVICE}/status/
export RESULTS_URL=${SERVICE_PROTOCOL}://${RESULTS_SERVICE_HOST}:${PORT_SPARQLGRAPH_RESULTS_SERVICE}/results/
export DISPATCHER_URL=${SERVICE_PROTOCOL}://${DISPATCH_SERVICE_HOST}:${PORT_DISPATCH_SERVICE}/dispatcher/
export HIVE_URL=${SERVICE_PROTOCOL}://${HIVE_SERVICE_HOST}:${PORT_HIVE_SERVICE}/hiveService/
export NGSTORE_URL=${SERVICE_PROTOCOL}://${NODEGROUPSTORE_SERVICE_HOST}:${PORT_NODEGROUPSTORE_SERVICE}/nodeGroupStore/
export OINFO_URL=${SERVICE_PROTOCOL}://${ONTOLOGYINFO_SERVICE_HOST}:${PORT_ONTOLOGYINFO_SERVICE}/ontologyinfo/
export NGEXEC_URL=${SERVICE_PROTOCOL}://${NODEGROUPEXECUTION_SERVICE_HOST}:${PORT_NODEGROUPEXECUTION_SERVICE}/nodeGroupExecution/
export NG_URL=${SERVICE_PROTOCOL}://${NODEGROUP_SERVICE_HOST}:${PORT_NODEGROUP_SERVICE}/nodeGroup/
export WEB_PROTOCOL=${SERVICE_PROTOCOL}
To confirm that clients are using HTTPS to make service calls, look for entries like this in the logs:
2018-10-15 11:47:24 Connecting to: https://host:12051/status/setPercentComplete
Note: the CURL command in startServices.sh uses the --insecure option, which makes it perform encryption only (while skipping certificate validation)
