Categories

Versions

You are viewing the RapidMiner Legacy documentation for version 9.8 - Check here for latest version

Enabling HTTPS

To create secure connections between RapidMiner Studio and RapidMiner Server or for the Web UI, take the following steps:

  1. Configure RapidMiner Server for HTTPS.

  2. Reconfigure the connection between RapidMiner Server and the Job Agent

  3. Reconfigure the connection between RapidMiner Server and RapidMiner Studio.

If you want to change the default port (8443) for HTTPS communication on the server side, see the section on changing ports.

Configure RapidMiner Server for HTTPS

Follow these steps to enable an SSL-encrypted connection:

  1. Obtain an SSL certificate from a certificate authority of your choice. In order to configure HTTPS communication, you need to have a private key, a server certificate and an optional certificate chain of the issuer. Certificate issuers provide these data in various formats, which can be converted easily to the other formats:

    • If using the PEM format, the private key is provided in a separated file with .key extension, while the certificate and the certificate chain in one or more files with .cer or .crt extension. These files are text based with BASE64 encoding.
    • The DER format provides the same structure: a separated private key file and certificate file(s), which are binary files with DER encoding.
    • The PKCS#12 format is a bundle (keystore) in one file with .p12 or .pfx extension, that contains one or more set of "certificate related data" (private key, certificate and optional certificate chain) tagged with an alias. The alias identifies exactly the private key and certificate in the store file.
    • The JKS (Java Keystore) format is similar to the PKCS#12 format and used mainly in Java-based environments

    Note: SSL certificates are issued per domain, per host name or for a set of subdomains (wildcard certificate). Make sure that the hostname of the certificate matches the hostname of your RapidMiner Server installation. Otherwise, accessing browsers will show warnings and may even block access entirely.

  2. To install the certificate to RapidMiner server a JKS format is needed. Please consult the CA's documentation for instructions on converting it, check online available resources or check our examples here. OpenSSL is a freely available tool for managing and converting certificates, while keytool is included in Java installations for managing Java keystores (JKS).

    • Convert PEM certificate and private key to PKCS#12 format. Provide the certificate-related files, set an alias (e.g. "pkcs12alias") in the command line and the tool will ask for a password (Export password), that will be used to encrypt the PKCS#12 file.

      openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile chain.crt -name "pkcs12alias"

    • The generated certificate bundle can be checked using the following command:

      openssl pkcs12 -info -in certificate.pfx

    • Convert PKCS#12 into JKS, using the Java keytool, as follows. Please check the filename parameters in the command line and take care on the alias names also. The srcalias should be the same that was used previously during the export to the PKCS#12 format (name parameter). First the tool will ask for a password to decode the previously created PKCS#12 file (source keystore). Afterwards the tool will ask for a new password for the new JKS file (destination keystore password) and also the private key.

      keytool -importkeystore -destkeystore certificate.keystore -srckeystore certificate.pfx -srcstoretype PKCS12 -srcalias pkcs12alias -destalias jksalias -trustcacerts

    Important limitation: In the JBoss configuration only one password can be provided, that will be used as the keystore password and also as the private key password, so these two passwords should be the same in the JKS file.

  3. Copy the generated certificate.keystore to the folder configuration/ in your RapidMiner Server home directory.

  4. Open the file standalone.xml. It is located in configuration/ of the RapidMiner Server home directory.

  5. Locate the tag <connector name="https" ... />. Uncomment the following snippet directly below the tag (by deleting <!-- and -->) and edit the password to match the password of your keystore and edit the alias field to match the alias name used during the JKS export. (If you cannot find the commented snippet, just copy the code below and paste it directly after the <connector name="http" ... /> tag.). Please take care on the path of the keystore. If it is not located in the folder /rapidminer-server-home/configuration, then you can provide the full path also.

    <!-- <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
    <ssl name="ssl" password="secret" protocol="TLSv1" key-alias="jksalias" certificate-key-file=" ${jboss.server.config.dir}/certificate.keystore" />
    </connector> -->
    

  6. If ciphers need to be hardened, add the following attributes

    cipher-suite="TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256" protocol="TLSv1.1,TLSv1.2"
    
    to the element starting with <ssl name="ssl".., yielding:
    <ssl name="ssl" password="secret" protocol="TLSv1" key-alias="jksalias" certificate-key-file=" ${jboss.server.config.dir}/certificate.keystore" cipher-suite="TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256" protocol="TLSv1.1,TLSv1.2" />
    In case you are working with the up to date Oracle java, you may need to install Java Cryptography Extension (JCE)

  7. If you want to disable HTTP connections entirely and forward them to HTTPS automatically:

    1. Add the flag redirect-port="8443" inside the HTTP (not HTTPS) tag — <connector name="http" ... />. (Replace the port with your actual SSL port if it differs from the default):

       <connector name="http" ... redirect-port="8443" />
      
    2. Modify the web.xml file, which can be found at /standalone/deployments/rapidminer-server-xxx.ear/rapidminer-server-war.war/WEB-INF/web.xml of your RapidMiner Server installation directory, by adding the following:

       <security-constraint>
      
       <web-resource-collection>
      
       <web-resource-name>Secure Apps</web-resource-name>
      
       <url-pattern>/*</url-pattern>
      
       </web-resource-collection>
      
       <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>
      
       </security-constraint>
      
  8. Restart RapidMiner Server.

Reconfigure the connection in the Job Agent(s)

After configuring RapidMiner Server, you must also reconfigure each Job Agent that connects to this server. Follow these steps:

  1. Locate the Job Agent's configuration file agent.properties (located in the home/config directory of the Job Agent deployment)

  2. Modify the rapidminer.server.protocol property to https

  3. Modify the rapidminer.server.host and rapidminer.server.port properties to contain the valid hostname and port configured for your server.

Reconfigure the connection in RapidMiner Studio

After configuring RapidMiner Server, you must also reconfigure each RapidMiner Studio instance that connects to this server. Follow these steps:

  1. In RapidMiner Studio, right-click on the RapidMiner Server repository and select Configure Repository:

  2. The Configure RapidMiner Server Repository window opens. Modify the Repository URL field to use SSL and match the port value you set for RapidMiner Server.

    For example:

  3. Click save Save to save your changes.