To enable SSL/TLS connectivity for CData Sync, you will need SSL/TLS certificates. The valid formats that can be used in Sync include JKS, PKCS12, and JCEKS.
This article explains how to create self-signed certificates using the keytool command and how to enable SSL/TLS connectivity for CData Sync.
Pre-requisite: JDK should be installed on your system.
Java includes the keytool utility in its releases. We use it to manage keys and certificates and store them in a keystore. The keytool command allows us to create self-signed certificates and show information about the keystore. The keytool commands are platform-independent and will work on Windows, macOS, and Linux. The keytool utility is included with the Java Development Kit (JDK), so if you have the JDK installed, you can run these commands on any operating system.
Step 1: Creating a self-signed certificate
Open a command Prompt or Terminal
-
Run any one of the following commands to create a Keystore of the type that you want to use:
a) Creating a JKS Keystore:
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -storetype JKS -keystore mykeystore.jks -validity 365
b) Creating a PKCS12 Keystore:
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore mykeystore.pfx -validity 365
c) Creating a JCEKS Keystore:
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -storetype JCEKS -keystore mykeystore.jceks -validity 365
Below is the sample screenshot:
-
These commands will prompt you to enter the keystore password, your name, organization details, and other information. Below is the sample screenshot:
By following these steps, you can create a keystore in the desired format which can be used to enable TLS/SSL connectivity for CData Sync.
Step 2: Give user permission to the certificate
To use these certificates in sync you need to give gull access to the Local Service user for the certificate file.
-
Right click on the certificate file, then navigate to Security tab.
-
If there is not any LOCAL SERVICE group or user, click “Edit”, then “Add” to add a new group/user.
-
Furthermore, click “Advanced”, and once the new window opens click “Find Now” and from the list of Search results select “LOCAL SERVICE” and add it to the list of groups/users.
-
Once it gets added to the list, provide “Full control” permission for LOCAL SERVICE
Step 3: Generating sync.properties file in the Sync installation directory
Check the sync installation directory (default path: C:\Program Files\CData\CData Sync) if sync.properties file is there or not. If the file is missing, then run the following command in the terminal to generate the file:
java -jar sync.jar -GenerateProperties
Step 4: Edit the sync.properties
To enable SSL/TLS connections (HTTPS), you also need to modify the sync.properties file in InstallationDirectory, as follows:
-
Set the cdata.tls.keyStoreType setting to the type of keystore that will be used. Valid values include jks, pkcs12, and jceks.
-
Set the cdata.tls.keyStorePath setting to the path of the keystore that will be used. Note that ${cdata.home} might be used to refer to InstallationDirectory.
-
Set the cdata.tls.keyStorePassword setting to the password for the keystore.
-
Set the cdata.tls.port setting to the port that should be used to host the server.
-
(Optional) Set the cdata.http.port setting to an empty string to disable plaintext connections.
The final result should look similar to this example:
Once you complete all the above steps, restart the CData Sync service and access Sync at https://<ip_address>:<port>