Community Articles
Find and share helpful community-sourced technical articles
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)

We can configure the Zeppelin UI for access over SSL.


Step 1 : Create a keystore

For Self-Signed Certificate:




### Generate a keystore
# keytool -genkey -alias zeppelin -keyalg RSA -dname "CN=$HOSTNAME,OU=IT,O=HWX,L=Bangalore,S=KA,C=IN" -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -keysize 2048 -validity 365 -keypass hadoop -storepass hadoop 

### Export self-signed certificate to a pem file
# keytool -exportcert -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -alias zeppelin  -file zeppelin.pem -rfc




For CA-Signed Certificate:



### Get certificate from you CA and create a PKCS12 keystore
# openssl pkcs12 -export -inkey zeppelin.key -in zeppelin.pem -certfile /path/to/ca/certificate/ca.pem -out zeppelin.pfx

### Convert pkcs12 keystore to jks keystore
# keytool -v -importkeystore -srckeystore zeppelin.pfx -srcstoretype PKCS12 -destkeystore /etc/zeppelin/conf/zeppelin-keystore.jks -deststoretype JKS -srcalias 1 -destalias $(hostname)

### Validate whether Privatekey and cert chain is present
# keytool -list -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -v




Step 2 : Import certificate(s) to a truststore




# keytool -import -file zeppelin.pem -alias zeppelin -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit




Note: For CA sign certificates, kindly import certificate chain (CA and IntermediateCA certificates) to truststore using below command



# keytool -import -file <certificate> -alias <alias> -keystore $JAVA_HOME/jre/lib/security/cacerts




Step 3 : In Ambari go to Zeppelin ---> Config ---> Advance make the following below changes



Zeppelin.ssl = true
Zeppelin.ssl.client.auth = false
Zeppelin.ssl.key.manager.password = hadoop
Zeppelin.ssl.keystore.password = hadoop
Zeppelin.ssl.keystore.path = /etc/zeppelin/conf/zeppelin-keystore.jks
Zeppelin.ssl.keystore.type = JKS
Zeppelin.ssl.truststore.password = changeit 
Zeppelin.ssl.truststore.path = /<JAVA-HOME-PATH>/jre/lib/security/cacerts
Zeppelin.ssl.truststore.type = JKS



Step 4 : Restart the zeppelin Service and access this over https://<zeppelin_host>:9995

0 Kudos

Hi Rishi,

I have been trying to configure ssl using the above steps. I am getting an error on the 3rd step:-

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Enter keystore password:

keytool error: zeppelin.crt (No such file or directory)

I have noticed that in the 2nd step "zeppelin.csr" certificate has been created and in the 3rd steps we are importing "zeppelin.crt". Do we need to perform any other steps before the 3rd step to convert the certificate from .csr to .crt?

Also, I tried creating the certificate name as ".crt" in 2nd step and importing it in the 3rd step as below, but getting a different error:-

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Enter keystore password:

keytool error: java.lang.Exception: Input not an X.509 certificate

Could you please help


Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
4 of 4
Last update:
‎09-30-2020 11:46 AM
Updated by:
Top Kudoed Authors