Community Articles

gul_shad · ‎02-25-2018

We can configure the Zeppelin UI for access over SSL.

Step 1 : Create a keystore

For Self-Signed Certificate:

### Generate a keystore
# keytool -genkey -alias zeppelin -keyalg RSA -dname "CN=$HOSTNAME,OU=IT,O=HWX,L=Bangalore,S=KA,C=IN" -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -keysize 2048 -validity 365 -keypass hadoop -storepass hadoop 

### Export self-signed certificate to a pem file
# keytool -exportcert -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -alias zeppelin  -file zeppelin.pem -rfc

For CA-Signed Certificate:

### Get certificate from you CA and create a PKCS12 keystore
# openssl pkcs12 -export -inkey zeppelin.key -in zeppelin.pem -certfile /path/to/ca/certificate/ca.pem -out zeppelin.pfx

### Convert pkcs12 keystore to jks keystore
# keytool -v -importkeystore -srckeystore zeppelin.pfx -srcstoretype PKCS12 -destkeystore /etc/zeppelin/conf/zeppelin-keystore.jks -deststoretype JKS -srcalias 1 -destalias $(hostname)

### Validate whether Privatekey and cert chain is present
# keytool -list -keystore /etc/zeppelin/conf/zeppelin-keystore.jks -v

Step 2 : Import certificate(s) to a truststore

# keytool -import -file zeppelin.pem -alias zeppelin -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

Note: For CA sign certificates, kindly import certificate chain (CA and IntermediateCA certificates) to truststore using below command

# keytool -import -file <certificate> -alias <alias> -keystore $JAVA_HOME/jre/lib/security/cacerts

Step 3 : In Ambari go to Zeppelin ---> Config ---> Advance make the following below changes

Zeppelin.ssl = true
Zeppelin.ssl.client.auth = false
Zeppelin.ssl.key.manager.password = hadoop
Zeppelin.ssl.keystore.password = hadoop
Zeppelin.ssl.keystore.path = /etc/zeppelin/conf/zeppelin-keystore.jks
Zeppelin.ssl.keystore.type = JKS
Zeppelin.ssl.truststore.password = changeit 
Zeppelin.ssl.truststore.path = /<JAVA-HOME-PATH>/jre/lib/security/cacerts
Zeppelin.ssl.truststore.type = JKS

Step 4 : Restart the zeppelin Service and access this over https://<zeppelin_host>:9995

Pankaj.1207 · ‎07-10-2018

Hi Rishi,

I have been trying to configure ssl using the above steps. I am getting an error on the 3rd step:-

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Enter keystore password:

keytool error: java.io.FileNotFoundException: zeppelin.crt (No such file or directory)

I have noticed that in the 2nd step "zeppelin.csr" certificate has been created and in the 3rd steps we are importing "zeppelin.crt". Do we need to perform any other steps before the 3rd step to convert the certificate from .csr to .crt?

Also, I tried creating the certificate name as ".crt" in 2nd step and importing it in the 3rd step as below, but getting a different error:-

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Enter keystore password:

keytool error: java.lang.Exception: Input not an X.509 certificate

Could you please help

Thanks.

Cloudera Community

Community Articles

Configure SSL for Zeppelin UI

Apache Zeppelin

Re: Configure SSL for Zeppelin UI