Using TLS to encrypt channels for greater security

TLS support in DC/OS Data Science Engine encrypts the following channels:

  • From the DC/OS admin router to the DC/OS Data Science Engine.
  • Files served from the Spark Driver launched by DC/OS Data Science Engine to Spark Executors.

The keystore and truststore are created using the Java keytool. The keystore must contain one private key and its signed public key. The truststore is optional and might contain a self-signed root-CA certificate that is explicitly trusted by Java.

You can add the stores as secrets in the DC/OS secret store. For example, if your keystores, truststores and CA bundle are server.jks, trust.jks and trust-ca.jks, respectively, then use the following commands to add them and their passwords to the secret store:

dcos security secrets create /data-science-engine/keystore --text-file server.jks
dcos security secrets create /data-science-engine/truststore --text-file trust.jks
dcos security secrets create /data-science-engine/ca_bundle_truststore --text-file trust-ca.jks
dcos security secrets create /data-science-engine/keystore_password --value changeit
dcos security secrets create /data-science-engine/key_password --value changeit
dcos security secrets create /data-science-engine/truststore_password --value changeit

To enable TLS, a Java keystore (and, optionally, truststore) must be provided, along with their passwords. The first four settings below are required during job submission. If using a truststore, the next three are also required. The last one is optional:

  "security": {
    "tls": {
      "enabled": true,
      "keystore_secret": "/data-science-engine/keystore",
      "keystore_password": "/data-science-engine/keystore_password",
      "key_password": "/data-science-engine/key_password",
      "truststore_secret": "/data-science-engine/truststore",
      "truststore_password": "/data-science-engine/truststore_password",
      "ca_bundle_secret": "/data-science-engine/ca_bundle_truststore",
      "protocol": "TLSv1.2"