Managing Certificates
The material in this document is for informational purposes only. The products it describes are subject to change without prior notice, due to the manufacturer’s continuous development program. Rampiva makes no representations or warranties with respect to this document or with respect to the products described herein. Rampiva shall not be liable for any damages, losses, costs or expenses, direct, indirect or incidental, consequential or special, arising out of, or related to the use of this material or the products described herein.
Introduction
When deploying Nuix Rampiva, it’s typical to configure the communication between the various Nuix Rampiva components, as well as with third-party services, over an encrypted HTTPS communication channel.
For each HTTPS communication, for example from Scheduler to the Engine Server, certificates need to be configured at both ends of the communication:
On the connection server, i.e. the component receiving the connection, in this case Rampiva Engine Server, a certificate including the private key must be deployed. This can either be a certificate issued by an public Certificate Authority (CA), or an internally-issued certificate, or a self-signed certificate;
On the connection client. i.e. the component initiating the connection, in this case Rampiva Scheduler, the certificate must be trusted, unless it’s a certificate issued by a public CA.
This article describes what the typical components involved in HTTPS communications are, and how certificates can be configured on a Microsoft Windows deployment of Nuix Rampiva.
HTTPS Connections List
Connection Server | Connection Client |
---|---|
1. Scheduler | 4. Browser / Third-Party System |
2. Engine Server | 5. Scheduler |
3. Various Third-Party Systems | 5. Scheduler |
3. Various Third-Party Systems | 6. Engine |
1. Scheduler | 7. Engine |
Configuring Certificates on a Connection Server
1. Scheduler
After a default installation, Scheduler generates a self-signed certificate. This certificate is located in the JKS store at C:\ProgramData\Rampiva\Automate\Scheduler\config\keystore.jks
1.1 Replace the Self-Signed Certificate With a Certificate From a PFX File
Install KeyStore Explorer
In KeyStore Explorer, open the file
C:\ProgramData\Rampiva\Automate\Scheduler\config\keystore.jks
Use the default password
defaultPassword1234
Delete the existing certificate
rampiva-scheduler
Import Key Pair in PKCS #12 format
Set the Key Pair entry password
defaultPassword1234
Save the changes
Restart the Rampiva Scheduler Windows service
1.2 Replace the JKS Store With a PFX File
In an administrative text editor, edit the file
C:\ProgramData\Rampiva\Automate\Scheduler\config\config.yml
Under the
server
→applicationConnectors
section, replace:
keyStorePath: C:/ProgramData/Rampiva/Automate/Scheduler/config/keystore.jks
keyStorePassword: defaultPassword1234
with:
keyStorePath: C:/ProgramData/Rampiva/Automate/Scheduler/config/sample.pfx
keyStorePassword: samplePasswordGoesHere
keyStoreType: PKCS12
where sample.pfx
is the PFX file, and samplePasswordGoesHere
is the password of the PFX file.
Restart the Rampiva Scheduler service
1.3 Configure an HTTPS Certificate from the CA Let’s Encrypt
See related KB article https://rampiva.atlassian.net/wiki/spaces/KB/pages/1264254977/Automate+-+Configure+an+HTTPS+Certificate+with+Let+s+Encrypt+with+Automatic+Renewal
2. Engine Server
Similar to Scheduler, after a default installation, the Engine Server generates a self-signed certificate. This certificate is located in the JKS store at C:\ProgramData\Rampiva\Automate\EngineServer\config\keystore.jks
To change the default certificate or the certificate store, follow the same steps described in section 1.Scheduler, and point to the keystore and config file paths from EngineServer
the folder.
3. Various Third-Party Systems
The configuration of server certificates on third-party systems is outside the scope of this article.
Trusting Certificates on a Connection Client
4. Browser / Third-Party Systems
If the certificate used on Scheduler is issued by a public CA, then no steps need to be performed on the browser or third-party systems. Alternatively, the certificate must be trusted either in the browser / third-party system, or at the operating system level. This configuration is outside the scope of this article.
5. Scheduler
If the certificate from the third-party system or the Engine Server is issued by a public CA, then no steps need to be performed on Scheduler to trust the certificate. Alternatively, certificates can be trusted in Scheduler by either specifying the certificate fingerprint, or by loading the certificate into the Java store used by Scheduler.
5.1 Trust a Certificate With Fingerprint
Obtain the SHA-256 fingerprint of the certificate, by performing one of the following steps on a secured network:
Attempt to configure the Engine Server or the third-party system in Scheduler and take note of the SHA-256 fingerprint in the error message
Browse to the Engine Server page or the third-party service using Chrome, inspect the certificate details, General → SHA-256 Fingerprints → Certificate
Configure the Engine Server or the third-party system in Scheduler and enter the SHA-256 fingerprint in the Whitelisted Certificate Fingerprints field
5.2 Trust a Certificate By Importing It Into the Java Store
Export the certificate of the Engine Server or the third-party service:
Browse to the Engine Server page or the third-party service using Chrome
Inspect the certificate details, Details → Export …
Save the certificate in Base64-encoded ASCII, certificate chain .pem format, for example under
C:\Temp\service1.cer
Determine the path to the Java installation being used by Scheduler, using one of the following methods:
By default, Scheduler versions between 7.0 to 8.1 use the Java installation at
C:\Program Files\Rampiva\Automate\java\jre11
By default, Scheduler versions 8.2 and later use the Java installation at
C:\Program Files\Rampiva\Automate\java\jre17
Inspect the Scheduler log file, by default at
C:\Temp\logs\rampiva-scheduler.log
and search forJVM Path
Open an administrative Command Prompt
Navigate to the Java installation, for example:
cd C:\Program Files\Rampiva\Automate\java\jre17
Import the certificate using the following
keytool
command:
where service1
is the name of the service, and C:\Temp\service1.cer
is the path to the certificate saved at the previous steps.
When prompted to trust the certificate, type
yes
Restart the Scheduler service
6. Engine (to Third-Party Service)
If the certificate from the third-party system is issued by a public CA, then no steps need to be performed on the Engine to trust the certificate. Alternatively, certificates can be trusted in the Engine by either specifying the certificate fingerprint, or by loading the certificate into the Java store used by Scheduler.
6.1 Trust a Certificate With Fingerprint
Follow the steps in section 5.1 to configure the third-party system with a certificate fingerprint in Scheduler. Then, the certificate fingerprint will automatically be used in the Engine for supported services.
This configuration is not possible in certain cases (for example for Nuix NLP), and for these systems the certificate must be imported in the Java store.
6.2 Trust a Certificate By Importing It Into the Java Store
Export the certificate of the third-party service:
Browse to the Engine Server page or the third-party service using Chrome
Inspect the certificate details, Details → Export …
Save the certificate in Base64-encoded ASCII, certificate chain .pem format, for example
C:\Temp\service1.cer
Determine the path to the Java being used by the Engine, using one of the following methods:
In Scheduler Settings → Execution Profiles → open the relevant profile and inspect the field
Java Installation Folder
Inspect the Engine log file, by default at
C:\Temp\logs\rampiva-engine.aaaaa-job.55555.log
, and search forJVM Path
Open an administrative Command Prompt
Navigate to the Java installation, for example:
Import the certificate using the following
keytool
command:
where server1
is the name of the service, and C:\Temp\server1.cer
is the path to the certificate saved at the previous steps.
When prompted to trust the certificate, type
yes
7. Engine (to Scheduler)
The Engine communicates with Scheduler when running jobs with certain operations, such as operations using third-party services. This communication occurs by default over HTTPS, and Rampiva automatically manages the certificate trust.
Additionally, the certificate trust on the Engines can be manually managed using the steps from section 6, or by setting the Scheduler certificate fingerprint using the parameter {scheduler_cert_fingerprint}
.