6.9 Enabling HTTPS & SSO for OpenMetadata

This section provides step-by-step instructions for configuring HTTPS and Single Sign-On (SSO) in OpenMetadata.

To enable HTTPS and SSO for OpenMetadata:
  1. Generate or Obtain a Keystore.

    For production environments, use an X.509 certificate from a trusted Certificate Authority (CA) and import it into a Java Keystore. For testing or development, you can create a self-signed certificate.

    To create a self-signed certificate, run the following command:

    keytool -ext SAN=<IP/HOST> -keystore openmetadata.keystore.jks -alias <ALIAS> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -genkey -validity 365

    Note:

    • SAN (Subject Alternative Name): Ensure the SAN matches the host or IP.
    • Alias: Use a meaningful alias for the certificate.
    • Password: Choose a secure password.

    Example:

    keytool -ext SAN=IP:100.76.164.165 -keystore openmetadata.keystore.jks -alias localhost -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -genkey -validity 365
  2. Move the Keystore. After generating the keystore, move the file to the OpenMetadata configuration directory:
    <OM-INSTALL-DIR>/openmetadata-1.3.0/conf
  3. Export the Certificate. You can either create a certificate separately and add it to the keystore, or extract it directly from the keystore using this command:

    keytool -exportcert -keystore openmetadata.keystore.jks -alias <ALIAS> -file <CERT NAME>

    Alternatively, use a UI tool for exporting the certificate.

  4. Import the Certificate to the Java Truststore.To add the certificate to Java’s cacerts truststore, run the following command:

    keytool -importcert -file <cert-file> -cacerts -alias <ALIAS>

  5. Update the OpenMetadata SSL Configuration. To do so:
    1. Modify the OpenMetadata configuration file located at:

      <OM-INSTALL-DIR>/openmetadata-1.3.0/conf/openmetadata.yaml

    2. In the server section, ensure the applicationConnectors section includes the following HTTPS configuration:
      server: applicationConnectors: - type: https port: ${SERVER_PORT:-8585} keyStorePath: ./conf/openmetadata.keystore.jks keyStorePassword: password123 keyStoreType: JKS certAlias: om_als supportedProtocols: [TLSv1.2, TLSv1.5] excludedProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3]

      Note:

      • keyStorePath: Ensure the path points to the correct keystore file.
      • keyStorePassword: Enter the password for your keystore.
  6. Update the SSO Configuration. To do so:
    1. If you are using Single Sign-On (SSO), locate the authenticationConfiguration section and configure the SSO provider details:
      authenticationConfiguration: provider: ${AUTHENTICATION_PROVIDER:-"custom-oidc"} responseType: ${AUTHENTICATION_RESPONSE_TYPE:-id_token} providerName: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-"Oracle"} publicKeyUrls: - "https://idcs-e1cc81fab76840ff92e07aa94c413b76.identity.pint.oc9qadev.com:443/admin/v1/SigningCert/jwk" - "https://100.76.147.137:8585/api/v1/system/config/jwks" authority: ${AUTHENTICATION_AUTHORITY:-https://idcs-e1cc81fab76840ff92e07aa94c413b76.identity.pint.oc9qadev.com} clientId: ${AUTHENTICATION_CLIENT_ID:-"e8e56537bb6047e7a0a70565a1f64239"} callbackUrl: ${AUTHENTICATION_CALLBACK_URL:-"https://100.76.147.137:8585/callback"} jwtPrincipalClaims: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} enableSelfSignup: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
    2. Replace the placeholders with your provider-specific values, such as:
      • AUTHENTICATION_AUTHORITY: The URL for your SSO provider.
      • AUTHENTICATION_CLIENT_ID: The client ID for your application.
      • AUTHENTICATION_CALLBACK_URL: The callback URL for your application.
  7. Update Pipeline Service Client Configuration for HTTPS. To do so:
    1. In the OpenMetadata configuration file, verify the pipelineServiceClientConfiguration section is updated for HTTPS: 
      pipelineServiceClientConfiguration: enabled: ${PIPELINE_SERVICE_CLIENT_ENABLED:-true} className: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} apiEndpoint: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-https://localhost:8080} metadataApiEndpoint: ${SERVER_HOST_API_URL:-https://100.76.147.137:8585/api} verifySSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"validate"} sslConfig: certificatePath: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-"/scratch/openmetadata-ins-dir/openmetadata-1.3.0/conf/om.cer"}
    2. Ensure the following:
      • PIPELINE_SERVICE_CLIENT_ENDPOINT: Set to https://.
      • SERVER_HOST_API_URL: Points to the HTTPS API endpoint for OpenMetadata.
      • PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH: Ensure the correct SSL certificate path is specified.
  8. Update STSA Configuration. To do so, modify the OpenMetadata URL in the EST configuration file to use the HTTPS URL.
  9. Start Services and Verify. To do so:
    1. After all configurations are updated, restart the OpenMetadata and STSA services.
    2. Verify that both the connection and integration are functioning correctly.

    Note:

    If using a self-signed certificate, browsers may display a warning. For production environments, always use certificates signed by a trusted Certificate Authority (CA).