Table of Contents

Search

  1. Preface
  2. Part 1: Installation Getting Started
  3. Part 2: Before You Install the Services
  4. Part 3: Run the Services Installer
  5. Part 4: After You Install the Services
  6. Part 5: Informatica Client Installation
  7. Part 6: Uninstallation
  8. Appendix A: Starting and Stopping Informatica Services
  9. Appendix B: Connecting to Databases from UNIX or Linux

Installation for Enterprise Data Preparation

Installation for Enterprise Data Preparation

Generate CA-signed SSL Certificates

Generate CA-signed SSL Certificates

You have a custom SSL certificate for the Informatica domain, and plan to configure custom SSL for Enterprise Data Catalog. In this scenario, you must generate CA-signed certificates.
Use the
generate_csr.sh
and
generate_certs.sh
scripts to generate the Certificate Signing Request (CSR) to send to a CA and generate the required custom SSL certificates. You can download the scripts from the Akamai Download Manager.
Perform the following steps to use the scripts to generate the custom SSL certificates:
  1. Extract the generate_csr.sh and generate_certs.sh scripts from the following location:
    <Location of installer files>/properties/utils/CustomSSLScriptsUtil_ExternalCA
    .
  2. Set the JAVA_HOME environment variable to point to JDK 8.
  3. In the gen_csr.properties file, provide the values for the following parameters:
    Parameter
    Description
    InfaDomainKeystorePassword
    The Informatica domain keystore password in plain text.
    ServerHosts
    The Informatica Cluster Service hosts that include the data nodes, processing nodes, and gateway node. Enter a comma-separated list of FQDNs of cluster nodes.
    ClientHosts
    Comma-separated list of unique host names of domain nodes and cluster nodes.
    InfaDomainName
    The Informatica domain name.
    ICSServiceName
    The name of the Informatica Cluster Service.
    KeysOutputDir
    The directory to store the generated keys. Specify the $CUSTOM KEYSTORE LOC directory to avoid the additional steps to copy the generated keys.
    The $ICS SERVICENAME/client_certs and the $ICS SERVICENAME/cluster_certs directories are created under the $CUSTOM KEYSTORE LOC directory.
    $CUSTOM KEYSTORE LOC is the directory where the custom keystore for the Informatica domain (infa_keystore.jks) is located. $ICS SERVICENAME is the name of the Informatica Cluster Service.
    CertsOutputDir
    The $CUSTOM TRUSTSTORE LOC directory to store the generated truststore files.
    The $ICS SERVICENAME/client_certs and the $ICS SERVICENAME/cluster_certs directories are created under the $CUSTOM TRUSTSTORE LOC directory.
    The $CUSTOM TRUSTSTORE LOC is the directory where the custom truststore for the Informatica domain (infa_truststore.jks) is located.
    DNSDomainName
    The DNS domain name for the cluster nodes.
    ClusterCert_OrganizationUnit
    Optional. The value for the OrganizationUnit for the cluster nodes certificate.
    ClusterCert_Organization
    The value for the Organization for the cluster nodes certificate.
    Verify that the combination of the Organization (O) and the Organizational Unit (OU) parameters in the certificate subject is distinct for the cluster and client certificates
    ClusterCert_Location
    The value for the Location for the cluster nodes certificate.
    ClusterCert_State
    The value for the State for the cluster nodes certificate.
    ClusterCert_CountryCode
    The value for the Country Code for the cluster nodes certificate.
    DomainCert_OrganizationUnit
    Optional. The value for the Organization Unit for the domain nodes certificate.
    DomainCert_Organization
    The value for the Organization for the domain nodes certificate.
    Verify that the combination of the Organization (O) and the Organizational Unit (OU) parameters in the certificate subject is distinct for the cluster and client certificates
    DomainCert_Location
    Optional. The value for the Location for the domain nodes certificate. Default is the ClusterCert_Location parameter.
    DomainCert_State
    Optional. The value for the State for the domain nodes certificate. Default is the ClusterCert_State parameter.
    DomainCert_CountryCode
    Optional. The value for the Country Code for the domain nodes certificate. Default is the ClusterCert_CountryCode parameter.
    Custom_Server_Certificate_CN
    Optional. The value for the Common Name in the cluster nodes certificate that can be used instead of the default $InfaDomainName-$ICSServiceName.$DNSDomainName value.
    You must enter RFC2253 compliant values.
    The following special characters are supported:
    , + " \ < > ;
    . Double quotes (") must be used in pairs. The characters \ and " must not be used together. The value cannot contain a space.
    Custom_Client_Certificate_CN
    Optional. The value for the Common Name in the domain nodes certificate that can be used instead of the default $InfaDomainName-$ICSServiceName.$DNSDomainName value. Default is the Custom_Server_Certificate_CN parameter.
    You must enter RFC2253 compliant values.
    The following special characters are supported:
    , + " \ < > ;
    . Double quotes (") must be used in pairs. The characters \ and " must not be used together. The value cannot contain a space.
    If the values contain spaces or special characters, you must enclose the values within double-quotes.
  4. Run the generate_csr.sh script using the following command to generate the .csr files to send to an external CA:
    ./generate_csr.sh gen_csr.properties
    The following files are generated for the cluster:

      infa_nodecert.csr

      infa_privkey.key

      infa_privkey.pem

      keystore.jks

    The following files are generated for the client:

      infa_nodecert.csr

      infa_privkey.key

      infa_privkey.pem

      keystore.jks

      browser_cert.csr

      browser_keystore.jks

      browser_privkey.key

      browser_privkey.pem

  5. Validate the contents of the .csr files. Run the following command to view the contents:
    keytool -printcertreq -file $PATH TO CSR
  6. Send the following .csr files to an external CA for signing:
    • <CertsOutputDir>/<ICSServiceName>/client_certs/infa_nodecert.csr
    • <CertsOutputDir>/<ICSServiceName>/cluster_certs/infa_nodecert.csr
    • <CertsOutputDir>/<ICSServiceName>/client_certs/browser_cert.csr
    The browser_cert.csr file is required if you want to create the browser certificates to view the scan job logs on Nomad.
  7. After you receive the certificates or certificate chains from the CA in .pem format, validate the certificates and store the certificates to a location under the $INFA HOME directory on your machine.
    If you receive the certificates or certificate chains from the CA in .cer format, run the following command to convert the files to pem format:
    openssl x509 -inform der -in <certificate file name>.cer -outform pem -out <certificate file name>.pem
    .
    If you receive a certificate chain from the CA, you must extract the root certificate, intermediate certificates, and the end user certificate.
  8. In the gen_certs.properties file, provide the values for the following parameters:
    Parameter
    Description
    InfaDomainKeystorePassword
    The Informatica domain keystore password in plain text.
    InfaDomainTruststorePassword
    The Informatica domain truststore password in plain text.
    ClusterCertificate
    The path to the cluster certificate signed by the CA in .pem format. This is an end user certificate.
    ClientCertificate
    The path to the client certificate signed by the CA in .pem format. This is an end user certificate.
    BrowserCertificate
    The path to the browser certificate signed by the CA in .pem format.
    ICSServiceName
    The name of the Informatica Cluster Service.
    IsCACertificateChainAvailable
    Specify if the CA certificate chain is available as a single .pem file. Enter true or false.
    The certificate chain must contain only the root and intermediate certificates.
    SingleCACertificateChain
    The path to the CA certificate chain in .pem format.
    IndividualCertificatesFromCAChain
    Optional. Only required if the IsCACertificateChainAvailable parameter is set to false.
    Comma-separated paths to the public certificates in the CA certificate chain in .pem format if the complete CA certificate chain is available as individual .pem files.
    KeysOutputDir
    The $CUSTOM KEYSTORE LOC directory store the generated keys.
    The $ICS SERVICENAME/client_certs and $ICS SERVICENAME/cluster_certs directories are created under the $CUSTOM KEYSTORE LOC directory.
    $CUSTOM KEYSTORE LOC is the directory where the custom keystore for the Informatica domain (infa_keystore.jks) is located. $ICS SERVICENAME is the name of the Informatica Cluster Service
    CertsOutputDir
    The $CUSTOM TRUSTSTORE LOC directory to store the generated truststore files.
    The $ICS SERVICENAME/client_certs and the $ICS SERVICENAME/cluster_certs directories are created under the $CUSTOM TRUSTSTORE LOC directory.
    The $CUSTOM TRUSTSTORE LOC is the directory where the custom truststore for the Informatica domain (infa_truststore.jks) is located.
  9. Run the generate_certs.sh script using the following command to generate the certificates:
    ./generate_certs.sh gen_certs.properties
    The keystore.jks keystore and the infa_privkey.pem private keys are stored at $CUSTOM KEYSTORE LOC/$ICSServiceName/client_certs and $CUSTOM KEYSTORE LOC/$ICSServiceName/cluster_certs directories.
    The truststore.jks truststore and the infa_nodecert.pem, infa_nodecertkey.pem, and infa_pubcert.pem public keys are stored at $CUSTOM TRUSTSTORE LOC/$ICSServiceName/client_certs and $CUSTOM TRUSTSTORE LOC/$ICSServiceName/cluster_certs directories.
  10. Optional. The directories $CUSTOM KEYSTORE LOC and $CUSTOM TRUSTSTORE LOC are generally the same. If the <KeysOutputDir> location is not the same as $CUSTOM KEYSTORE LOC and <CertsOutputDir> location is not the same as $CUSTOM TRUSTSTORE LOC, move the keys and certificates to the respective directories.
    Verify that the $CUSTOM KEYSTORE LOC and the $CUSTOM TRUSTSTORE LOC directories have the required user privileges. Also, validate that the user has minimum chmod 700 permissions configured for the directories and chmod 600 permissions configured for the files that are copied to the directories.
To access the Nomad Web UI and Solr Admin UI when the Informatica Cluster Service is SSL enabled, you must import the browser certificates. To know more about how to import the browser certificates, see the Access Nomad Web UI and Solr Admin UI when Informatica Cluster Service is SSL enabled in EDC KB article.