Accessing Storage with TLS and Self-Signed Certificates

Sometimes the storage targeted by the Polaris Server is expected to be accessed over TLS but the storage system’s certificate does not have a trust chain leading to a well-known root. Often such a certificate is simply self-signed.

In this situation the JVM inside the Polaris Server will need to be configured with a custom trust store containing the self-signed certificate or its CA certificate.

The example below assumes using a self-signed certificate for storage and docker for running Polaris.

Creating a Custom Trust Store🔗

• Take an existing java trust store (with the usual root certificates) and make a local copy.
• Add the storage system’s certificate to it.

1keytool -importcert -file STORAGE_CERT.pem -keystore cacerts -alias STORAGE_CERT

Here, STORAGE_CERT.pem is the file containing the storage system’s certificate; cacerts is the name of a custom trust store file to be used by Polaris.

Running Polaris with a Custom Trust Store🔗

Map the location of the custom trust store to a local path inside the Polaris container and instruct the Polaris JVM to use it.

1docker run -p 8181:8181 \
2 -v /path/to/dir-containing-cacerts:/opt/tls \
3 -e JAVA_OPTS_APPEND='-Djavax.net.ssl.trustStore=/opt/tls/cacerts' \
4 apache/polaris:latest

Of course, add other Polaris and/or docker options as appropriate for your environment.

After this, create a Polaris catalog as usual. Note that the storage endpoint property in the catalog probably needs to use the https URI scheme.