For various reasons, you may have to secure a Presto cluster with TLS, both internally and externally. This is pretty straight forward following Presto documentation, until you want to also combine that with an LDAP or custom password login mechanism. Once you have internal TLS, external TLS, and LDAP, you have to play with some extra settings and manipulate your JKS files to get things done.
Internal TLS Settings
For secure internal communication, you should refer to the presto documentation right here: https://prestosql.io/docs/current/security/internal-communication.html. It will walk you through various configuration settings that enable HTTPS, disable HTTP, and set key stores for TLS.
Part of the instructions have you generate a JKS file (Java Key Store) with a command like this:
keytool -genkeypair -alias example.com -keyalg RSA -keystore keystore.jks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: *.example.com (Your site name should go here).
This will get your internal TLS working fine.
Adding External TLS
It would be quite pointless to secure the inside of a cluster if you didn’t secure the connections to the clients using it. So, you’ve actually set all of the external TLS properties already when you were doing the internal security. E.g. notice that the properties listed in the LDAP login plugin (which requires external SSL) here: https://prestosql.io/docs/current/security/ldap.html are already referenced in the doc we referred to for internal TLS here https://prestosql.io/docs/current/security/internal-communication.html.
Initially, I figured that I could configure a different JKS file for internal and external communication; but it turns out that this does not work; so don’t try it. There is some information on that right here. You need to use the same JKS file in all keystore configurations on the Presto servers. So, don’t bother trying to tune the properties you already set while doing internal TLS; just keep them.
Given internal and external communication needs the same keystore, a naive second try may be to give clients the same JKS file that you use for internal TLS… but that’s a bad idea for two reasons:
- You’re giving away your private key and compromising security.
- If you go on to add password-login by LDAP or a custom password authenticator, the private key certificate will bypass it if the clients have it.
So, what you really need to do to allow clients to use TLS safely is use the same JKS file for all the server-side properties, but give clients a copy of that JKS file with the private key removed for use with JDBC/etc.
You can remove the private key from the JKS you made with the internal TLS instructions like this:
keytool -export -alias company.com -file sample.der -keystore keystore.jks openssl x509 -inform der -in sample.der -out sample.crt keytool -importcert -file sample.crt -keystore .keystore
You can do user-name and password login with LDAP out of the box using the documentation I linked earlier. Alternatively, you can use the custom password plugin documentation I wrote a month ago here: https://coding-stream-of-consciousness.com/2019/06/18/presto-custom-password-authentication-plugin-internal/ to do your own.
In either case, while combining internal TLS and password login, you will have to modify this property: