question Re: Do we need to add Knox self-signed cert into Ranger keystore? in Archives of Support Questions (Read Only)

Do we need to add Knox self-signed cert into Ranger keystore?

hfaouaz — Fri, 06 Nov 2015 04:30:49 GMT

It seem that invoking the test from the KNox repository in Ranger failes due to miss path to the cert.

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Re: Do we need to add Knox self-signed cert into Ranger keystore?

rmani — Fri, 06 Nov 2015 04:44:44 GMT

Yes that is right , you need to add self-signed cert into Ranger keystore for Test connection and lookup functionality to work

Re: Do we need to add Knox self-signed cert into Ranger keystore?

rmani — Fri, 06 Nov 2015 05:33:35 GMT

In HDP 2.3 you can do the following for it

cd $GATEWAY_HOME/data/security/keystores 

keytool -exportcert -alias gateway-identity -keystore gateway.jks -file knox.crt

no password

Copy knox.crt file onto machine running Ranger admin to a working directory, /usr/hdp/current/ranger-admin/

cd /usr/hdp/current/ranger-admin
cp /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64/jre/lib/security/cacerts cacertswithknox
keytool -import -trustcacerts -file knox.crt -alias knox -keystore cacertswithknox

password: changeit

cd /usr/hdp/current/ranger-admin/ews

Add following to /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh

-Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-admin/cacertswithknox

start() {
        java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &

        echo "Apache Ranger Admin has started."
}

restart ranger-admin

Re: Do we need to add Knox self-signed cert into Ranger keystore?

hfaouaz — Fri, 06 Nov 2015 05:46:11 GMT

thanks @rmani@hortonworks.com

Re: Do we need to add Knox self-signed cert into Ranger keystore?

VR46 — Fri, 13 May 2016 14:16:38 GMT

Thanks @Ramesh Mani

Re: Do we need to add Knox self-signed cert into Ranger keystore?

pagrawa — Tue, 30 Aug 2016 10:42:31 GMT

if above steps don't work then please add/update the value of property 'ranger.truststore.file' and 'ranger.truststore.password' in the ranger-admin module according to your environment :

According to steps mentioned above sample value would be :

ranger.truststore.file=/usr/hdp/current/ranger-admin/cacertswithknox
ranger.truststore.password=changeit