Implementing a Secure Binary Interface

Follow these instructions to start an OmniSci server with an encrypted main port.

Required PKI Components

You need the following PKI (Public Key Infrastructure) components to implement a Secure Binary Interface.

  • A CRT (short for certificate) file containing the server's PKI certificate. This file must be shared with the clients that connect using encrypted communications. Ideally, this file is signed by a recognized certificate issuing agency.
  • A key file containing the server's private key. Keep this file secret and secure.
  • A Java TrustStore containing the server's PKI certificate. The password for the trust store is also required.
    Note Although in this instance the trust store contains only information that can be shared, the Java TrustStore program requires it to be password protected.

Demonstration Script to Create "Mock/Test" PKI Components

It is possible to use OpenSSL utilities to create the various PKI elements. The server certificate in this instance is self-signing, and should not be used in a production systems.

  1. Generate a new private key. 
    openssl genrsa -out server.key 2048
  2. Use the private key to generate a certificate signing request. 
    openssl req -new -key server.key -out server.csr
  3. Self sign the certificate signing request to create a public certificate. 
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  4. Use the Java tools to create a key store from the public certificate. 
    keytool -importcert  -file server.crt -keystore server.jks

Start the Server

Start the server using the following options.

--ssl-cert <path to the server's public certificate>
--ssl-private-key <path to the server's private key>
--ssl-trust-store <path to Java TrustStore>
--ssl-trust-password <Java TrustStore password>

Example

sudo start omnisci_server  --port 6274 --data /data --ssl-cert /home/omnisci/certs/server.crt --ssl-private-key /home/omnisci/certs/server.key --ssl-trust-store /home/omnisci/certs/server.jks --ssl-trust-password XXXXXX

Configuring omnisci.conf for Encrypted Connection

Alternatively, you can add the following configuration parameters to omnisci.conf to establish a Secure Binary Interface. The following configuration flags implement the same encryption shown in the runtime example above:

port "6274"
data "/var/lib/omnisci/data"
ssl-cert "/home/omnisci/certs/server.crt"
ssl-private-key "/home/omnisci/certs/server.key"
ssl-trust-store "/home/omnisci/certs/server.jks"
ssl-trust-password "XXXXXX"

Why Use Both server.crt and a Java TrustStore?

The server.crt file and the Java TrustStore contain the same public key information in different formats. Both are required by the server to establish both the secure client communication with the various interfaces and with its Calcite server. At startup, the Java TrustStore is passed to the Calcite server for authentication and to encrypt its traffic with the OmniSci server.