This topic helps you to set up Greenplum Command Center to authenticate users with digital certificates and to encrypt connections between users’ web browsers and the Command Center web server.

  1. Pivotal Mac Os Catalina
  2. Pivotal Microsoft
Pivotal mac os x

Greenplum Command Center is a browser-based application that, by default, uses basic authentication to allow connections. When the user browses to the Greenplum Command Center web server, the server prompts for a user name and password. The user enters their Greenplum Database role name and password and the server uses it to log in to the gpperfmon database. The password is md5-encoded, but the data transferred over the network is otherwise unencrypted.

To encrypt data over the connection requires a secure, two-way authenticated connection between the user’s browser and the Greenplum Command Center web server. The Command Center web server and users’ browsers are configured with X.509 certificates. The client uses the server’s certificate to verify they have connected to the correct server and the server uses the client’s certificate to verify the user’s identity and to look up the user’s Greenplum Database role name. Once the certificates are installed in the server and users’ browsers, connections are established automatically when users browse to the Command Center URL.

Certificate-based authentication requires that both the server and client certificates are digitally signed by a trusted Certificate Authority (CA). Any web server accessible on the Internet should have a certificate signed by a well-known commercial CA, such as Symantec, to prevent man-in-the-middle attacks and other malicious attacks.

If your users and servers are confined to an intranet, you can set up a public key infrastructure (PKI) that allows you to act as the CA for your organization, or even for just the Greenplum Command Center. You create a public/private key pair for your CA, use it to generate a certificate signing request (CSR), and then sign it with your own certificate, resulting in a self-signed certificate. This certificate can then be used to sign CSRs for the Command Center web server and for GPCC users. The CA public key must be installed into users’ web browsers, along with their own signed user certificates.

A user’s certificate contains an attribute, Common Name (CN), which Command Center uses to look up the user’s Greenplum Database role. The CN attribute is mapped to the database role in the user_cert_mapping table in the gpperfmon database. When the user connects to the Command Center web server, the Command Center web application logs in to the gpperfmon database with the gpmon role and looks up the CN in the user_cert_mapping table to find the user’s Greenplum Database role.

  1. Instead) was present in Inkwell in Mac OS 10.2 and 10.3, but seems to have been removed in 10.4. Larry Yaeger was the author of the original Rosetta recognizer on the Newton, and was also responsible for porting it to Mac OS X. 24 The Rosetta name was later used for Apple's PowerPC software translation layer for Intel -based Macs.
  2. To install kubectl, follow the procedures for your operating system to download kubectl from Pivotal Network. Binaries are only provided for 64-bit architectures. Navigate to Pivotal Network and log in. Click Enterprise Pivotal Container Service (Enterprise PKS). Click Kubectl CLIs. Click kubectl CLI - Mac to download the kubectl binary.

Note:
When SSL is enabled for a Greenplum Command Center installation, all web browsers connecting to Greenplum Command Center must be configured with a client SSL certificate. In a multi-cluster configuration, all hosts must have the same SSL configuration. SSL must be enabled or disabled for all hosts. For information about multi-cluster configuration, see Enabling Multi-Cluster Support.

These tasks enable certificate-based authentication and encryption of Command Center sessions:

Operating System Processor and Architecture Supported JDKs Production or Development; CentOS 7: x86 (64-bit) x86 (32-bit) (Deprecated in v8.2) Oracle Java SE 7, Update 72 and Later. Oracle Java SE 8, Update 45 and Later. Production: Mac OS X 10.8. (Deprecated in v8.2) x86 (64-bit) Oracle Java SE 7, Update 72 and Later.

This process sets up a simple PKI using OpenSSL. The OpenSSL openssl command-line utility is included with GPCC and is added to your path when you source the gpcc_path.env file. See the OpenSSL documentation for information about OpenSSL and the commands that are used.

Setting Up an OpenSSL PKI

The instructions in this section set up an OpenSSL public key infrastructure (PKI) that enables you to generate and sign Greenplum Command Center user certificates.

  1. Log in to the server where you installed Greenplum Command Center and source the Greenplum environment files.

  2. Change to the $GPPERFMONHOME/etc directory, where the openssl.cnf is located.

  3. (Optional) The openssl.cnf file contains default settings for a Certificate Authority named demoCA. You can edit the file, or a copy of the file, and change the settings to suit your own organization. Refer to the OpenSSL documentation for help. Note that the [Default_CA] section defines directory and file names that are used in the following steps. If you change them, be sure to use the new values in the following commands.

  4. Create a directory named demoCA at the location where the openssl.cnf file is located.

  5. Create the PKI directory structure in the demoCA directory.

  6. Create serial, crlnumber and index.txt files in the demoCA directory.

  7. Generate a private RSA key for the CA. This command generates an RSA 2048 bit private key for the CA:

  8. Use the generated private key to sign itself. You are prompted to enter the information about the CA you are establishing:

    • Country Name:The two-letter code for the country, with no punctuation.
    • State or Province: Spell out the state name completely.
    • Locality or City: The city or town name.
    • Company: The name of the company. If the company or department has an &, @, or any other symbol using the shift key in its name, spell out the symbol or omit it.
    • Organizational Unit:(Optional) Can be used to help identify certificates registered to an organization.
    • Common Name: The name of this CA.
    • Email Address:(Optional) The email address of the owner of this certificate.

    The following example creates a new self-signed X.509 certificate that is valid for ten years for the keypair in the certAut.key file. This key will be used to sign certificates generated for the web server and client Command Center users.

  9. Move the CA key and certificate files into place in the demoCA directory. The names and locations of the files are specified in the openssl.cnf file.

Configuring the Command Center Web Server (lighttpd)

  1. Generate a private key for the Command Center web server.

  1. Create a CSR for the web server’s private key. You are prompted to enter information about the server where the certificate will be installed. Set the Common Name to the name of the host were the Command Center web server is running.

    • Country Name:The two-letter code for the country, with no punctuation.
    • State or Province: Spell out the state name completely.
    • Locality or City: The city or town name.
    • Company: The name of the company. If the company or department has an &, @, or any other symbol using the shift key in its name, spell out the symbol or omit it.
    • Organizational Unit:(Optional) Can be used to help identify certificates registered to an organization.
    • Common Name: The exact name of the web server.
    • Email Address:(Optional) The email address of the owner of this certificate.

  2. Sign the web server’s private key using your CA certificate:

  3. Create a PEM file containing the web server’s private key and certificate. The lighttpd web server requires this file.

  4. Edit the lighttpd configuration file lighttpd.conf for the instance configured for Greenplum Command Center. The configuration file is located in $GPPERFMONHOME/instances/instance/conf, where instance is the value you specified when you created the instance.

    Add the following parameters to enable SSL-based client authentication:

Note:
For the ssl.ca-file and ssl.pemfile parameters, you must specify the fully qualified paths to the cacert.pem and wscert.pem files, respectively.

Enter gpcmdr --restart instance_name to restart the lighttpd web server after updating the configuration file.

Creating a Client SSL Certificate

Follow these steps for each GPCC user to create a signed certificate to install in the user’s web browsers.

  1. Open a command line terminal and source the Greenplum environment files.

  2. Change to the $GPPERFMONHOME/etc directory. -pp

  3. Generate a client private key by executing the following command. Replace client in this and following commands with a string such as the user’s login name or database role name.

  4. Generate a certificate signing request for the user’s private key. The value you enter for the Common Name field must be unique for each user; it is used to map the user to their Greenplum Database role.

  5. Sign the client certificate with the CA certificate:

    Note: The value for the -days option must be less than or equal to the value specified for the CA certificate.

  6. Create a .pem file containing the client’s private key and certificate.

  7. Convert the signed client certificate to PKCS#12 format. The PKCS #12 format is an archive file format for storing many cryptographic objects as a single file. It is commonly used to bundle a private key with its X.509 certificate.

    Important: The export password is required when the client certificate is imported into a client web browser. See Configuring a Web Browser.

  8. Send the client.pem file and the client.p12 file to the GPCC user. Securely communicate the export password for the .p12 file to the user.

Pivotal Mac OS

Configuring the GPCC Database (gpperfmon)

When the GPCC web server is configured to use SSL based client authentication, the GPCC web server queries the user_cert_mapping table in the gpperfmon database as part of the authentication process. The user_cert_mapping table maps the client certificate user ID (the common name in the client certificate) with the gpperfmon user role.

You must create the user_cert_mapping table and populate it with the proper user information.

  1. Create the user_cert_mapping table in the gpperfmon database.

  2. For each Greenplum Command Center user who accesses the gpperfmon database, a row must exist in the user_cert_mapping table. The mapping column contains the common name that you specified when creating the client certificate. The corresponding username column contains the gpperfmon user role.

    The format of the common name in the mapping column is 'common_name, common_name'. The common name listed twice, separated by a comma and space. For this example, the common name is gpcc_user1, and the gpperfmon user role is perfmon_user1:

Configuring a Web Browser

When Greenplum Command Center is configured to use SSL, web browsers connecting to Greenplum Command Center must have a client certificate and CA certificate. You import the created client certificate and CA certificate to your browser so that it can forward the certificates to Greenplum Command Center when connecting to a Greenplum database from Greenplum Command Center.

Follow these steps to import the certificates into Firefox and Chrome browsers, or into the Mac OS X Keychain Access utility.

Mozilla Firefox

  1. From the menu, select Preferences.
  2. Click Advanced and then click the Certificates tab.
  3. Click View Certificates.

  4. In the Certificate Manager dialog, open the Authorities tab, and click Import. Select your CA certificate (for example, cacrt.crt).

    • In the Downloading Certificate dialog, check Trust this CA to identify websites.

  5. In the Your Certificates tab, click Import and select your client certificate (for example client.p12).

    The import process prompts for a password for the client certificate. Enter the export password that you entered when you converted the client certificate to PKCS#12. See Creating a Client SSL Certificate.

  6. Click OK to apply the configuration changes.

Google Chrome

  1. From the customization menu, select Settings and then select Show Advanced Settings.
  2. In the section HTTPS/SSL, click Manage certificates….
  3. In the Manage Certificates dialog, open the Trusted Root Certification Authorities tab . Click Import and select your CA certificate (for example, certAut.crt).

  4. Open the Personal tab. Click Import and select the client certificate (for example, client.p12).

    The import process prompts for a password the client certificate. Enter the export password that you entered when you converted the client certificate to PKCS#12. See Creating a Client SSL Certificate.

  5. Click Ok to apply configuration changes.

  6. Browse to the Greenplum Command Center URL, for example https://mdw:28080. A User Identification Request window will appear. Choose the client certificate you imported and click OK.

Mac OS X

Mac OS X has a built-in certificate manager, Keychain Access. Google Chrome, Safari, and Mozilla Firefox use Keychain Access for certificate management. You will be asked to authenticate as an admin user on your Mac several times while following these steps.

To begin, the user needs the cacert.pem CA certificate and the .pem file containing the user’s private key and certificate.

  1. Open Keychain Access (Applications > Utilities > Keychain Access.
  2. Choose File >Import , select the CA .pem file for the CA you setup (cacert.pem), and click Open.
  3. On the dialog window that displays, click Always Trust.
  4. Choose File > Import, select the .pem file for the GPCC user you setup (client.pem), and click Open.
  5. In a web browser, browse to the GPCC Command Center (https://gpcc_host:28080).
  6. Choose the GPCC client certificate in the Select a certificate dialog and click OK.

Note: This product has been discontinued. Technical Guidance ends July 15th 2018.

Pivotal provides the following system administration tools free for your use to support Application Fabric products.

Chef Cookbooks

Chef is a systems management tool used to streamline the task of configuring and deploying a company’s servers and applications in a physical, virtual, or cloud location. Cookbooks define scenarios such as application installation and configuration, and contain the components required to support that scenario.

The cookbooks are available in a public GitHub repository located at https://github.com/pivotal/app-manage/tree/master/chef-repo. See the provided README for any usage notes.

Homebrew Formulas

Homebrew is the “missing package manager” for Mac OS X. Pivotal provides Homebrew formulas for developers who want to install and play with our commercial software on their development machines, and is not intended for commercial use.

The plugins are available in a public GitHub repository located at https://github.com/pivotal/homebrew-tap. See the provided README for any usage notes.

New Relic Plugins

New Relic provides real-time monitoring of Web applications on-premises or in the cloud.

The plugins provided by Pivotal gather metric data and display them in your New Relic dashboard.

The plugins are available in a public GitHub repository located at https://github.com/gopivotal/newrelic_pivotal_agent. See the provided README for any usage notes.

Puppet Modules

Puppet automates repetitive tasks and gives system administrators a flexible framework to build on. Puppet consists of a configuration language to write modules, daemons to run the Puppet instructions on managed systems to deploy and configure applications, and a dashboard to help visualize your systems and create reports.

Pivotal Mac Os Catalina

Pivotal provides Puppet modules to simplify the installation of Pivotal products. You can use the modules individually or in groups.

Pivotal Microsoft

The Puppet modules are available in a public GitHub repository located at https://github.com/pivotal/app-manage/tree/master/puppet. See the provided README for any usage notes.