question Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster? in Support Questions

Where to add keystore file for mutual authentication enabled for Knox service on cluster?

sshelgao — Mon, 11 Jun 2018 20:24:10 GMT

Hi, I have added Knox service to the cluster and enabled the ssl .Now I want to enable mutual auth. I have followed the steps from https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/setting_up_2-way_ssl_authentication.html. Where I have created gateway.jks (using cd $gateway bin/knoxcli.cmd create-cert --hostname $gateway-hostname command) and given truststore file path of the same in gateway-site.xml.

Now I want to know where to provide keystore file path for client side authentication when I put "gateway.client.auth.needed = true" in gateway-site.xml file.

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

falbani — Mon, 11 Jun 2018 20:37:11 GMT

@Snehal S Keystore file path is already set to gateway.jks by default and you should not change this. Once you perform the configuration mentioned on the link you shared you need to import the

1. client public certificate to the knox truststore (on knox server machine)

2. the knox public certificate to the client truststore (on client server machine)

After 1 and 2 and if proper configuration was done this should work.

HTH

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

sshelgao — Thu, 14 Jun 2018 19:38:21 GMT

Thank you @Felix Albani for help. Sorry for delayed response.
It saved my time and worked when I imported public certs of respective machines.

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

falbani — Thu, 14 Jun 2018 20:09:02 GMT

@Snehal Shelgaonkar I'm glad to hear this worked for you. Please take a moment to login and click the "accept" link on the answer.

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

sshelgao — Fri, 22 Jun 2018 14:02:58 GMT

Hi @Felix Albani,

The above issue is solved. Now we are facing strange thing, we have created a new user say snehal, created snehal@EXAMPLE.COM principal and snehal.keytab with this principal. And added "hadoop.proxyuser.snehal.groups=* , ,hadoop.proxyuser.snehal.hosts=* " properties in HDFS->config->custome-core site.

same way added property for webhcat also.

Now i am hitting > GET https://host:8443/gateway/default/webhdfs/v1/?op=GETHOMEDIRECTORY&user.name=snehal

I am getting

{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}} Non activated Name node :https://host:8443/gateway/default, Error Message: 403#@_#{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}}

Tried many ways like, adding the user snehal in supergroup, also did "kdestroy -> kinit with snehal keytab and principal" many times with different users also, Restarted ambari-server. But no luck.

Thanks,

Snehal