Installation prerequisites

Please follow the steps below:

1. Review the Requirements and compatibility to confirm that this configuration is appropriate for your organization.

2. Prepare a single computer that satisfies the Requirements and compatibility for Querona.

3. Obtain the installation package and copy installer binaries into selected folder on the target computer or accessible network share.

4. Obtain the license (XML). If license is not provided in post-installation steps, only Administrative Portal will be functional. No SQL Client connections can be made until a valid license is provided.

5. If SSL/TLS communication is required either for Web or TDS, the server computer must have a certificate provisioned. To provision the certificate on the server computer, you import it into Windows. The client machine must be set up to trust the certificate’s root authority. For more information see Prerequisites for encrypted connections below.

6. Decide whether to use the built-in engines (SQLite and Derby) recommended for evaluation and small deployments OR set up a supported version of SQL Server to host Querona and Apache Spark metabases.

7. If you’re upgrading, ensure you have a latest, readable backup of all existing metabases.

If all prerequisites are met, proceed with Install Querona.

Prerequisites for encrypted connections

Querona uses the same certificate for Web and TDS connections. During installation, you can select a certificate to be used, and the installer will configure the necessary permissions, like granting permission to read the private key.

About certificates

The certificate must be issued for Server Authentication. The name of the certificate must be the fully qualified domain name (FQDN) of the computer along with all of the alternative names.

To install a certificate for use by Querona, you must be running Certificates MMC Snapin with an account that has local administrator privileges, and connected to the Local Machine certificate store.

The client must be able to verify the ownership of the certificate used by the server. If the client has the public key certificate of the certification authority that signed the server certificate, no further configuration is necessary. Microsoft Windows includes the public key certificates of many certification authorities.

If the server certificate was signed by a public or private certification authority for which you do not have the public key certificate, you must install the public key certificate of the certification authority that signed the server certificate.

Certificate requirements

For Querona to successfuly load a certificate, the certificate must meet the following requirements:

• The certificate must be in the Local Computer certificate store.

• The Service Account must have the necessary permission to access the certificate (Querona installer will try to handle that during installation).

• The current system time must be after the Valid from property of the certificate and before the Valid to property of the certificate.

• The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1)

• The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. Usually, the certificate’s key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).

• The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer. When using the host name, the DNS suffix must be specified in the certificate.

Note

For production environments, we recommend obtaining a certificate from a Certificate Authority trusted in your organization.

A self-signed certificate may be useful for evaluation and testing. If you decide to use a self-signed certificate, you have establish trust by add it to the Trusted Root Certificates on a server.

To generate a self-signed certificate, you may use the following PowerShell script:

$dnsName = [System.Net.Dns]::GetHostByName($env:computerName).HostName

New-SelfSignedCertificate -Type SSLServerAuthentication `
   -Subject "CN=$env:COMPUTERNAME" -FriendlyName 'Self-signed test cert' `
   -DnsName "$dnsName",'localhost' `
   -KeyAlgorithm "RSA" -KeyLength 2048 -HashAlgorithm "SHA256" `
   -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
   -NotAfter (Get-Date).AddMonths(36) `
   -KeySpec KeyExchange `
   -Provider 'Microsoft RSA SChannel Cryptographic Provider' `
   -CertStoreLocation "cert:\LocalMachine\My" `

Install certificate on a server

Follow these steps:

1. On the Start menu, click Run, and in the Open box, type Manage Computer Certificates and click OK. Alternatively, you can add the required snap-in manually:

   1. On the Start menu, click Run, and in the Open box, type MMC and click OK.

   2. In the MMC console, on the File menu, click Add/Remove Snap-in.

   3. In the Add/Remove Snap-in dialog box, click Add.

   4. In the Add Standalone Snap-in dialog box, click Certificates, click Add.

   5. In the Certificates snap-in dialog box, click Computer account, and then click Finish.

   6. In the Add Standalone Snap-in dialog box, click Close.

   7. In the Add/Remove Snap-in dialog box, click OK.

2. In the Certificates snap-in, expand Certificates, expand Personal, and then right-click Certificates, point to All Tasks, and then click Import.

3. Complete the Certificate Import Wizard and close the MMC console.

Internet Protocol Security (IPSec)

Data transfered from and to Querona can be encrypted during transmission by using IPSec. IPSec is provided by the client and server operating systems and requires no Querona configuration. For information about IPSec, see your OS or networking documentation.