How to add a certificate chain file for SSL configuration

This guide describes how to configure your Matillion ETL instance to recognize a certificate chain file to your Matillion SSL Setup. This is often useful if you need it to recognize an intermediate certificate.

As of version 1.69, Matillion ETL's Apache Tomcat version was updated from 8.5.75 to 10.1.5, requiring different configuration instructions. Refer to the relevant section below for the version of Matillion ETL you are using.

Note

Key files for SSL certificate chains must be unencrypted and not password protected.

---

Matillion ETL version 1.69 and later

1. SSH into your Matillion ETL instance and switch to the root user.

2. Take a backup of the current SSL configuration.

   cp -rp /etc/tomcat/localhost.crt /etc/tomcat/localhost.crt.bak
   

   cp -rp /etc/tomcat/localhost.key /etc/tomcat/localhost.key.bak
   

   cp -rp /etc/tomcat/server.xml /etc/tomcat/server.xml.bak
   

3. Copy the private key and certificates to the following locations.

   cp /your/key/file /etc/tomcat/localhost.key
   

   cp /your/cert/file /etc/tomcat/localhost.crt
   

   cp /your/intermediates/file /etc/tomcat/localhost-chain.crt
   

4. Update the file ownership and permissions.

   chown tomcat:tomcat /etc/tomcat/localhost*
   

   chmod 775 /etc/tomcat/localhost*
   

5. Locate the file /etc/tomcat/server.xml and edit the following section:

   <Connector SSLEnabled="true" clientAuth="false" maxPostSize="10485760" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" secure="true" sslProtocol="TLS">
   <SSLHostConfig>
   <Certificate certificateFile="${catalina.base}/conf/localhost.crt" certificateKeyFile="${catalina.base}/conf/localhost.key"/>
   </SSLHostConfig>
   </Connector>
   

6. Make the following changes to add an SSLCertificateChainFile property and value (and point to your chain file):

   <Connector SSLEnabled="true" clientAuth="false" maxPostSize="10485760" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" secure="true" sslProtocol="TLS">
   <SSLHostConfig>
   <Certificate certificateFile="${catalina.base}/conf/localhost.crt" certificateKeyFile="${catalina.base}/conf/localhost.key" certificateChainFile="${catalina.base}/conf/localhost-chain.crt" />
   </SSLHostConfig>
   </Connector>
   

7. Restart Tomcat.

   systemctl restart tomcat
   

8. Validate the connection to the Matillion ETL HTTPS endpoint.

9. Check the file /var/log/tomcat/catalina.out for any errors.

---

Matillion ETL version 1.68 and earlier

1. SSH into your Matillion ETL instance and switch to the root user.

2. Take a backup of the current SSL configuration.

   cp -rp /etc/tomcat8/localhost.crt /etc/tomcat8/localhost.crt.bak
   

   cp -rp /etc/tomcat8/localhost.key /etc/tomcat8/localhost.key.bak
   

   cp -rp /etc/tomcat8/server.xml /etc/tomcat8/server.xml.bak
   

3. Copy the private key and certificates to the following locations.

   cp /your/key/file /etc/tomcat8/localhost.key
   

   cp /your/cert/file /etc/tomcat8/localhost.crt
   

   cp /your/intermediates/file /etc/tomcat8/localhost-chain.crt
   

   Where localhost.crt is the full certificate chain, including the Intermediate Certificate, and localhost-chain.crt is the Intermediate Certificate.

4. Update the file ownership and permissions.

   chown tomcat:tomcat /etc/tomcat8/localhost*
   

   chmod 775 /etc/tomcat8/localhost*
   

5. Locate the file /etc/tomcat8/server.xml and add the Certificate Chain file attribute.

   SSLCertificateChainFile="/etc/tomcat8/localhost-chain.crt" 
   

6. Restart Tomcat.

   systemctl restart tomcat8
   

7. Validate the connection to the Matillion ETL HTTPS endpoint.

8. Check the file /var/log/tomcat8/catalina.out for any errors.

---

Video

The below video produced by our solution architects team also references certificate chain files.