How to Configure Greenplum PXF with MinIO over TLS (HTTPS) Using Self-Signed Certificates
search cancel

How to Configure Greenplum PXF with MinIO over TLS (HTTPS) Using Self-Signed Certificates

book

Article ID: 432927

calendar_today

Updated On:

Products

VMware Tanzu Data Suite VMware Tanzu Greenplum VMware Tanzu Greenplum / Gemfire

Issue/Introduction

Overview

This guide provides a step-by-step walkthrough for deploying a secure, TLS-enabled MinIO object storage lab and configuring Greenplum Platform Extension Framework (PXF) to communicate with it.

By default, the Java S3A client used by PXF will reject self-signed certificates. This lab demonstrates how to generate a self-signed certificate, enable HTTPS on MinIO, and import the certificate into the Greenplum Java Truststore to establish a successful secure connection.

Prerequisites & Lab Environment

  • Storage Node (minio-server): Hosts the MinIO server and MinIO client (mc).

  • Database Node (gpdb-host): Hosts Greenplum 6 and the PXF service.

  • Network: The gpdb-host must be able to reach the minio-server on port 9000.

Resolution

Phase 1: Set Up MinIO with TLS on the MinIO Server

Perform these steps on the minio-server as the root user.

1. Download MinIO Binaries

MinIO can be run as a standalone binary without needing Docker.

wget https://dl.min.io/server/minio/release/linux-amd64/minio
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x minio mc

2. Generate the Self-Signed Certificate

MinIO automatically looks for TLS certificates in the ~/.minio/certs directory. If valid certificates are present, MinIO starts in HTTPS mode automatically.

Note: It is critical that the Common Name (CN) matches the exact hostname or IP address that PXF will use to connect.

mkdir -p /root/.minio/certs

# Generate the private key and public certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /root/.minio/certs/private.key \
  -out /root/.minio/certs/public.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=minio-server"

3. Start the MinIO Server

Start the server in the background. It will automatically detect the certificates and bind to HTTPS.

mkdir -p /tmp/minio-data
export MINIO_ROOT_USER="admin"
export MINIO_ROOT_PASSWORD="password123"

nohup ./minio server /tmp/minio-data --address ":9000" --console-address ":9001" > minio.log 2>&1 &

Verify it is running in HTTPS mode: curl -vk https://minio-server:9000/minio/health/live

4. Create Test Data using MinIO Client (mc)

# Configure the client to bypass TLS verification locally (--insecure)
./mc alias set myminio https://127.0.0.1:9000 admin password123 --insecure

# Create a bucket
./mc mb myminio/testbucket --insecure

# Create and upload a dummy CSV file
echo -e "1,alice\n2,bob" > /tmp/test.csv
./mc cp /tmp/test.csv myminio/testbucket/ --insecure

Phase 2: Configure PXF and Java Truststore on the GPDB Host

Perform these steps on the gpdb-host server.

1. Fetch the Certificate from MinIO

Pull the public certificate directly from the MinIO server so Java can trust it.

openssl s_client -showcerts -connect minio-server:9000 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/minio-server.crt

2. Import Certificate into the Java Truststore

PXF relies on Java. You must import the self-signed certificate into the JVM's cacerts file so PXF trusts the connection. Run this as root or using sudo.

# Find your JAVA_HOME path (e.g., /usr/lib/jvm/jre)
export JAVA_HOME=$(grep JAVA_HOME /usr/local/pxf-gp6/conf/pxf-env.sh | cut -d '=' -f 2)

# Import the certificate
sudo $JAVA_HOME/bin/keytool -import -alias minio-lab-cert \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -file /tmp/minio-server.crt \
  -storepass changeit -noprompt

3. Configure PXF s3-site.xml

Log in as the gpadmin user. Create or edit the PXF server configuration file.

mkdir -p $PXF_BASE/servers/miniolab
vi $PXF_BASE/servers/miniolab/s3-site.xml

Ensure the protocol is https, SSL is enabled, and the path-style access is true:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <property>
        <name>fs.s3a.endpoint</name>
        <value>https://minio-server:9000</value> 
    </property>
    <property>
        <name>fs.s3a.access.key</name>
        <value>admin</value>
    </property>
    <property>
        <name>fs.s3a.secret.key</name>
        <value>password123</value>
    </property>
    <property>
        <name>fs.s3a.path.style.access</name>
        <value>true</value>
    </property>
    <property>
        <name>fs.s3a.connection.ssl.enabled</name>
        <value>true</value> 
    </property>
</configuration>

4. Apply Configurations

Sync the new configuration and restart PXF to load the updated Java Truststore.

pxf cluster sync
pxf cluster restart

Phase 3: Verify the Connection in Greenplum

Log into the database on the gpdb-host to test the secure connection.

psql -d postgres
SQL
 
-- Ensure the PXF extension is created (run once per database)
CREATE EXTENSION IF NOT EXISTS pxf;

-- Create the external table pointing to the MinIO lab server
CREATE EXTERNAL TABLE minio_test_table (id int, name text)
LOCATION ('pxf://testbucket/test.csv?PROFILE=s3:text&SERVER=miniolab')
FORMAT 'TEXT' (delimiter ',');

-- Query the table
SELECT * FROM minio_test_table;

Expected Output:

 id | name  
----+-------
  1 | alice
  2 | bob
(2 rows)

If this succeeds, PXF is successfully decrypting the TLS traffic using the imported certificate.

Powered by Wolken Software