SSL is configured through the
server:certificate_password settings in the appSettings.json file located in the DataHub installation folder. These changes can be made after a successful installation. The DataHub Manager service will need to be restarted for the changes to take effect. Follow the steps below to configure SSL.
- Place your server certificate file in the DataHub installation directory or other secure location.
Edit the appSettings.json file in the DataHub installation directory to include the certificate file name and password. If the certificate is located outside the installation directory, specify the absolute path to the file, escaping backslashes. For example,
portsettings will also need to be updated to reflect the environment. See the example below.
3. Restart the DataHub Manager service.
server:load_full_cert_chain properties are also provided. By default both values are set to
true. This means that by default, certificate revocation lists will be checked and the full certificate chain (as provided in the given PKCS12 certificate specified in
server:certificate) is loaded into the user's trust store. In some cases
server:check_certificate_revocation should be set to
false, for example when blocking outbound traffic through port 80.
If outbound traffic through port 80 is blocked, the port must be opened the first time DataHub is started. This allows the root and intermediate certificates to be verified before placement in the trust store. The port may be closed again once DataHub has finished its startup process.
false and DataHub was already started with
server:load_full_cert_chain is unset or set to true, the applicable certificates will need to be removed from the user's trust store and the DataHub service restarted. In the case of Linux deployments, the user's trust store is typically located in the user's home directory that is running DataHub under
It is highly recommended that weak TLS ciphers are disabled, such as RC4 based cipher suites and those using authentication and encryption less than 128 bits. The use of weak ciphers creates risk of compromise of SSL or TLS communications, allowing a man-in-the-middle attacker the ability to potentially decrypt network traffic. DataHub disables all protocols other than TLS 1.2. However, the system administrator must also ensure that the underlying system configuration excludes weak cipher suites. It is also recommended that system administrators disable client renegotiation and enable perfect forward secrecy. For additional information, please see Mozilla's recommendations.
These settings are not configurable in DataHub, as the server inherits these settings from the host operating system in the case of Windows environments.
For Windows environments, see this Microsoft Support Article for instructions on disabling individual ciphers. For Linux environments, a reverse-proxy server with the appropriate SSL/TLS protocol and cipher configuration is recommended. Please see your reverse-proxy's documentation for how to configure these settings.