Generate SSL Keystore using OpenSSL
1. Open a terminal or command prompt, enter your working directory:
2. Run the keytool command to generate a self-signed certificate. You may also obtain a signed certificate from a certificate authority if you wish. Ensure that the certificate uses a hash algorithm supported by your IdP (most likely SHA1 or SHA256).
$ keytool -genkey -alias tomcat -keystore tomcat.keystore.jks -storepass changeit -keyalg RSA –keypass changeit
- (a). When prompted, fill out any information relevant to your organization
- (b). Use a password other than “changeit” for –storepass and –keypass arguments
- (c). The keystore password (-storepass) and key password (-keypass) do not need to be the same
3. Configure SSL certificate in tomcat
Use a text editor to open the Pentaho Tomcat /tomcat/conf/server.xml file.
Locate the connector you want the new Keystore to secure i.e.
Configure SSL Certificate to Pentaho Server
1. Change to the home directory of the user account that starts the Pentaho Server and User Console processes or services. If you installed the default settings for Pentaho, this directory will be $PENTAHO_HOME/
2. Execute the following command, changing the storepass (password in the example) and keypass (password in the example) accordingly
$ keytool -export -alias tomcat -file tomcat.cer -storepass changeit -keypass changeit -keystore $PENTAHO_HOME/tomcat.keystore.jks
3. Change to the
$PENTAHO_JAVA_HOME/jre/lib/security/ directory $ cd $PENTAHO_JAVA_HOME/jre/lib/security/
4. Execute the following command, changing the alias (servercert in the example), the file path to the certificate (the current user’s home directory in the example), and the storepass (password in the example) accordingly
$ keytool -import -alias tomcat -file $PENTAHO_HOME/tomcat.cer -keystore cacerts -storepass changeit
5. Execute the following command and make note of the MD5 sum for the Tomcat entry:
$ keytool -list -keystore cacerts
6. Change back to the home directory of the user account that starts the Pentaho Server and User Console, and run this command
keytool -list -keystore keystore.jks
7. Restart the server and then try to connect with SSL URL i.e.