Most SnapLogic API requests can be sent to the SnapLogic cloud endpoint. The SnapLogic cloud runs with a signed TLS (SSL) certificate. The client sending the HTTP request will validate the CA certificate to verify the validity of the certificate.
Some SnapLogic API requests can be sent to the Groundplex nodes directly, including requests for Ground-triggered Pipelines and requests to the FeedMaster nodes for Ultra Pipelines. The Snaplex nodes run with self-signed certificates. A load balancer must be installed to handle the incoming requests to the Groundplex nodes. The load balancer can be configured with the customer's TLS (SSL) certificate. The clients see the certificate exposed by the load balancer.
If the load balancer is configured with a custom TLS (SSL) certificate and configured to terminate TLS (SSL) connections, you do not have to change the TLS (SSL) certificate on the Groundplex nodes. The Groundplex nodes can run using the default SnapLogic generated certificate, which is the recommended configuration. |
If the certificate cannot be changed on the load balancer, choose one of the following methods to allow the HTTP clients to verify the authenticity of the Snaplex nodes when sending these requests:
Perform the following steps:
jcc-serverkeys.jks
./etc/snaplogic/jcc-serverkeys.jks
C:\opt\snaplogic\etc\jcc-serverkeys.jks
Concatenate all PEM encoded files into a single chain file.
Linux Example:
$ cat <CA-SIGNED-PEM> <CA-INTERMEDIATE-PEM> <CA-ROOT-PEM> sl-ca-chain.pem |
Where:<CA-SIGNED-PEM>
is the CA-signed TLS (SSL) certificate (PEM encoded).<CA-INTERMEDIATE-PEM>
is the CA intermediate certificate (PEM encoded).<CA-ROOT-PEM>
is the CA root certificate (PEM encoded).
To ensure that there is not a password associated with the private key file for later operations, use the openssl
command.
Linux Example:
$ openssl rsa -in <PRIVATE_KEY> -out key_no_pass.pem |
Where:<PRIVATE_KEY>
is the private key used to create the CSR (PEM encoded).
If there is a password associated with the private key, you must provide it to generate key_no_pass.pem
.
Use the openssl
command to generate the PFX file.
Linux Example:
$ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat /etc/snaplogic/jcc-serverkeys.pass) |
Use the keytool command to import the PFX file into jcc-serverkeys.jks
.
Linux example:
$ keytool -importkeystore -srckeystore <PATH-TO-SL-CA-CHAIN-PEM> -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -deststore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) |
Where:<PATH-TO-SL-CA-CHAIN-PEM>
is the absolute path to the sl-ca-chain.pem
file created in Step 4.
(Optional) Use the openssl
command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.
Linux example:
$ openssl s_client -connect localhost:<SECURE-PORT> |
Where:<SECURE-PORT>
is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node.