6.10 Enabling SSL (HTTPS) for OpenMetadata (OM)

To secure OM using HTTPS, follow the steps below:
  1. Navigate to <OM-INSTALL-DIR>/openmetadata-1.3.0/conf and run the following command to generate a Java Keystore (.jks) file containing a self-signed certificate with a Subject Alternative Name (SAN):
    keytool -ext SAN=IP:<IP> -keystore <keystore-name>.keystore.jks \ -alias <alias> -keyalg RSA -keysize 2048 \ -sigalg SHA256withRSA -genkey -validity 365

    Example:

    keytool -ext SAN=IP:100.76.147.137 -keystore openmetadata.keystore.jks \ -alias om_als -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -genkey -validity 365

    You will be prompted to enter certificate details. Provide the values as shown below:

    Enter keystore password: password123 Re-enter new password: password123 What is your first and last name? [Unknown]: 100.76.147.137 What is the name of your organizational unit? [Unknown]: OFSS What is the name of your organization? [Unknown]: ORACLE What is the name of your City or Locality? [Unknown]: BLR What is the name of your State or Province? [Unknown]: KA What is the two-letter country code for this unit? [Unknown]: IN Is CN=100.76.147.137, OU=OFSS, O=ORACLE, L=BLR, ST=KA, C=IN correct? [no]: yes

    Note:

    Upon confirmation, the system generates the following:
    • A 2048-bit RSA key pair
    • A self-signed certificate signed with the SHA256withRSA algorithm
    • A certificate valid for 365 days
    • The certificate and key stored in the openmetadata.keystore.jks file
  2. Place the openmetadata.keystore.jks file in <OM-INSTALL-DIR>/openmetadata-1.3.0/conf directory.
  3. Run the following command to export the certificate from the generated keystore:keytool -exportcert -keystore <keystore-name>.keystore.jks \ -alias <alias> -file <certificate-name>.cer

    Example:

    keytool -exportcert -keystore openmetadata.keystore.jks \ -alias om_als -file om.cer

    Note:

    When prompted, enter the keystore password.
    • When prompted, enter the keystore password. For example, password123.
    • The certificate will be exported to the specified .cer file (for example, om.cer).
  4. Import the previously generated certificate (om.cer) into the Java truststore (cacerts) used by both OM and EST
    1. On the OM Application Server, enter the following:
    keytool -import -file "/scratch/openmetadata-ins-dir/openmetadata-1.3.0/conf/om.cer" \ -alias om_als \ -keystore "/scratch/openmetadata-ins-dir/jdk-17.0.2/lib/security/cacerts" \ -storepass "changeit"
    1. On the EST Application Server, enter the following:
      keytool -import -file "/scratch/ofsaadb/om.cer" \ -alias om_als \ -keystore "/scratch/ofsaadb/jdk-17.0.11/lib/security/cacerts" \ -storepass "changeit"
      Y

      Note:

      ou may also use the -cacertsoption instead of specifying the full path to cacerts, if the environment variable JAVA_HOME is properly set.

      Sample Output:

      Owner: CN=100.76.147.137, OU=OFSS, O=ORACLE, L=BLR, ST=KA, C=IN Issuer: CN=100.76.147.137, OU=OFSS, O=ORACLE, L=BLR, ST=KA, C=IN Serial number: e58456bf07531203 Valid from: Wed Apr 09 13:59:55 GMT 2025 until: Thu Apr 09 13:59:55 GMT 2026 Certificate fingerprints: SHA1: 33:13:B1:23:E3:6D:3D:5F:84:80:C8:5A:E4:43:F8:21:B3:23:DD:3B SHA256: 60:D7:4B:83:14:2A:A2:0B:73:F0:21:6A:48:63:B1:85:AD:D8:1A:AC:BE:C6:A6:68:07:C1:1B:B4:BA:26:93:2F Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3

      Extensions:

      #1: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ IPAddress: 100.76.147.137 ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: EC 79 1A 05 2B CC BE B6 66 4C C3 D9 82 F8 C0 1C 0010: FA 2B 99 DD ] ]

      When prompted, enter the following:

      Trust this certificate? [no]: yes Certificate was added to keystore
  5. In the application.yml file, locate the applicationConnectors section and comment out the existing HTTP connector to disable unencrypted access:
    #- type: http # port: ${SERVER_PORT:-8585}

    Note:

    This ensures the application no longer accepts HTTP connections on port 8585, enforcing secure HTTPS access only.
  6. Add the following configuration under the applicationConnectors section of the application.yml file to enable HTTPS:
    - type: https port: ${SERVER_PORT:-8585} keyStorePath: ./conf/openmetadata.keystore.jks keyStorePassword: password123 keyStoreType: JKS certAlias: <certificate-alias> supportedProtocols: [TLSv1.2, TLSv1.3] excludedProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3]

    Note:

    • Replace <certificate-alias> with the alias used during keystore generation (e.g., om_als).
    • TLSv1.5 is not a valid protocol version; the latest supported by most Java environments is TLSv1.3.
    • Ensure indentation is consistent to avoid YAML parsing errors.
  7. Update the configuration file (such as application.yml or .env, depending on your environment) to ensure all callback and public key URLs use the HTTPS protocol:
    callbackUrl: ${AUTHENTICATION_CALLBACK_URL:-"https://100.76.147.137:8585/callback"} publicKeyUrls: - "https://idcs-e1cc81fab76840ff92e07aa94c413b76.identity.pint.oc9qadev.com:443/admin/v1/SigningCert/jwk" - "https://100.76.147.137:8585/api/v1/system/config/jwks"
  8. Update all configured requests in IDCS to use the https protocol.
  9. Modify the OM URL in the EST configuration to use https, and restart the EST services for the changes to take effect.