Configure SSL for the Cluster

The Okera cluster can be configured to use SSL. Okera strongly recommends that you use SSL for all Okera clusters, to avoid transmitting plain text credentials (such as usernames, passwords and tokens) over the network.

Notes: The Presto endpoint requires SSL.

In addition, if you enable SSL without specifying any other information, Okera will generate self-signed certificates.

Configuration Settings

For information on the Okera configuration settings used to configure SSL in the values.yaml file used by the Helm chart for your Okera cluster, see SSL Configuration Parameters.

Validate the SSL Configuration

Once your cluster is updated with the certificate configuration, use the openssl CLI to verify it can be fully validated.

For example, if your Web UI is at https://okera.company.com:8083, you can run:

$ openssl s_client -connect okera.company.com:8083
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.company.com
verify return:1
---
Certificate chain
0 s:/CN=*.okerademo.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
...

If you see an error such as "unable to verify the first certificate", it may mean you do not have the full chain or the hostname/IP on which you are accessing the cluster does not match the Common Name (CN) in the certificate.