Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Contributor

We can configure the Zeppelin UI for access over SSL.

 

Step 1 : Create a keystore

For Self-Signed Certificate:

 

 

 

### Generate a keystore
# keytool -genkey -alias zeppelin -keyalg RSA -dname "CN=$HOSTNAME,OU=IT,O=HWX,L=Bangalore,S=KA,C=IN" -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -keysize 2048 -validity 365 -keypass hadoop -storepass hadoop 

### Export self-signed certificate to a pem file
# keytool -exportcert -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -alias zeppelin  -file zeppelin.pem -rfc

 

 

 

For CA-Signed Certificate:

 

 

### Get certificate from you CA and create a PKCS12 keystore
# openssl pkcs12 -export -inkey zeppelin.key -in zeppelin.pem -certfile /path/to/ca/certificate/ca.pem -out zeppelin.pfx

### Convert pkcs12 keystore to jks keystore
# keytool -v -importkeystore -srckeystore zeppelin.pfx -srcstoretype PKCS12 -destkeystore /etc/zeppelin/conf/zeppelin-keystore.jks -deststoretype JKS -srcalias 1 -destalias $(hostname)

### Validate whether Privatekey and cert chain is present
# keytool -list -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -v

 

 

 

Step 2 : Import certificate(s) to a truststore

 

 

 

# keytool -import -file zeppelin.pem -alias zeppelin -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

 

 

 

Note: For CA sign certificates, kindly import certificate chain (CA and IntermediateCA certificates) to truststore using below command

 

 

# keytool -import -file <certificate> -alias <alias> -keystore $JAVA_HOME/jre/lib/security/cacerts

 

 

 

Step 3 : In Ambari go to Zeppelin ---> Config ---> Advance make the following below changes

 

 

Zeppelin.ssl = true
Zeppelin.ssl.client.auth = false
Zeppelin.ssl.key.manager.password = hadoop
Zeppelin.ssl.keystore.password = hadoop
Zeppelin.ssl.keystore.path = /etc/zeppelin/conf/zeppelin-keystore.jks
Zeppelin.ssl.keystore.type = JKS
Zeppelin.ssl.truststore.password = changeit 
Zeppelin.ssl.truststore.path = /<JAVA-HOME-PATH>/jre/lib/security/cacerts
Zeppelin.ssl.truststore.type = JKS

 

 

Step 4 : Restart the zeppelin Service and access this over https://<zeppelin_host>:9995

3,364 Views
0 Kudos
Comments
Explorer

Hi Rishi,

I have been trying to configure ssl using the above steps. I am getting an error on the 3rd step:-

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Enter keystore password:

keytool error: java.io.FileNotFoundException: zeppelin.crt (No such file or directory)

I have noticed that in the 2nd step "zeppelin.csr" certificate has been created and in the 3rd steps we are importing "zeppelin.crt". Do we need to perform any other steps before the 3rd step to convert the certificate from .csr to .crt?

Also, I tried creating the certificate name as ".crt" in 2nd step and importing it in the 3rd step as below, but getting a different error:-

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Enter keystore password:

keytool error: java.lang.Exception: Input not an X.509 certificate

Could you please help

Thanks.

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
4 of 4
Last update:
‎09-30-2020 11:46 AM
Updated by:
 
Contributors
Top Kudoed Authors