Community Articles

Configure SSL for Ambari Server

# On ambari-server host, take a back up of existing files

mkdir /root/ambari-ssl-backup; cp -r /var/lib/ambari-server/keys/* /root/ambari-ssl-backup/

# Navigate to the folder where all certificates are stored.

cd <dir>

# Extract certificates from p7b file

openssl pkcs7 –in ambari-server-host-cert.p7b –print_certs > ambari-server-host-name.crt

# Above .crt file contains full certificate chain, so separate server certificate from root chain.

Copy the intermediate/root chain to ca.crt and delete intermediate/root chain from ambari-server-host-name.crt

# Copy ca.crt, ambari-server-host-name.crt, ambari-server-host-privateKey.key files to /var/lib/ambari-server/keys/

cp ca.crt /var/lib/ambari-server/keys/

cp ambari-server-host-privateKey.key /var/lib/ambari-server/keys/

cp ambari-server-host-name.crt /var/lib/ambari-server/keys/

# Update password for the keystore in a file (Assuming it as ‘changeit’)

echo "changeit" > pass.txt

# Generate the keystore for ambari-server. Ambari uses pkcs12 keystore. Use the above password when prompted.

openssl pkcs12 –export –out keystore.p12 –inkey ambari-server-host-privateKey.key –in ambari-server-host-name.crt –certfile ca.crt

# verify the keystore

/usr/jdk64/jdk1.8.0_77/bin/keytool –list –v –keystore keystore.p12 –storetype pkcs12 –storepass changeit

# Create a truststore with Root/Intermediate/Ambari/and all agent certificates.

/usr/jdk64/jdk1.8.0_77/bin/keytool -import -file ca.crt -keystore truststore.jks -storepass changeit -alias rootCA

/usr/jdk64/jdk1.8.0_77/bin/keytool -import -file ambari-server-host-name.crt -keystore truststore.jks -storepass changeit -alias ambari-server

/usr/jdk64/jdk1.8.0_77/bin/keytool -import -file ambari-agent-host2.crt -keystore truststore.jks -storepass changeit -alias ambari-agent-host2

...

# Enable HTTPS for ambari-server

ambari-server setup-security

Using python /usr/bin/python

Security setup options...

===========================================================================

Choose one of the following options:

[1] Enable HTTPS for Ambari server.

[2] Encrypt passwords stored in ambari.properties file.

[3] Setup Ambari kerberos JAAS configuration.

[4] Setup truststore.

[5] Import certificate to truststore.

===========================================================================

Enter choice, (1-5): 1

Do you want to configure HTTPS [y/n] (y)? y

SSL port [8443] ? y

Enter path to Certificate: /var/lib/ambari-server/keys/hsynlhdps100.crt

Enter path to Private Key: /var/lib/ambari-server/keys/hsynlhdps100.key

Please enter password for Private Key: <hit enter if none>

Generating random password for HTTPS keystore...done.

Importing and saving Certificate...done.

Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site

# Configure truststore for ambari-server (This truststore would also contain certificates for AD server(s) in case of LDAPS between ambari-server and AD)

ambari-server setup-security

Using python /usr/bin/python

Security setup options...

===========================================================================

Choose one of the following options:

[1] Enable HTTPS for Ambari server.

[2] Encrypt passwords stored in ambari.properties file.

[3] Setup Ambari kerberos JAAS configuration.

[4] Setup truststore.

[5] Import certificate to truststore.

===========================================================================

Enter choice, (1-5): 4

Do you want to configure a truststore [y/n] (y)? y

TrustStore type [jks/jceks/pkcs12] (jks): jks

Path to TrustStore file :/var/lib/ambari-server/keys/truststore.jks

Password for TrustStore:

Re-enter password:

Ambari Server 'setup-security' completed successfully.

# Edit /etc/ambari-server/conf/ambari.properties, add below properties

security.server.two_way_ssl=true

security.server.cert_name=ambari-server-host-name.crt

security.server.key_name=ambari-server-host-privateKey.key

security.server.keystore_name=keystore.p12

security.server.keystore_type=PKCS12

security.server.truststore_name=truststore.jks

security.server.truststore_type=JKS

security.server.crt_pass_file=pass.txt

# Restart Ambari Server

ambari-server restart

# Since the certificates were already created, Ambari Server should not be creating any certificates

# Verify by inspecting logs in /var/log/ambari-server/ambari-server.log

xxxxxxxxxxxxxxxxxxx INFO [main] CertificateManager:68 - Initialization of root certificate

xxxxxxxxxxxxxxxxxxx INFO [main] CertificateManager:70 - Certificate exists:true

Configure SSL for Ambari Agent

### Repeat steps for every host in the cluster, including ambari-server host

# Extract Agent certificate from p7b file

openssl pkcs7 -in ambari-agent-cert.p7b –print_certs > `hostname –f`.crt

# Copy Agent certificate and key

cp `hostname –f`.crt /var/lib/ambari-agent/keys/

cp ambari-agent-privateKey.key /var/lib/ambari-agent/keys/`hostname –f`.key

# Copy CA certificate (Note: We need to copy this manually, otherwise the agent will copy over the server certificate instead of CA certificate)

cp ca.crt /var/lib/ambari-agent/keys/

# Restart Ambari Agent

ambari-agent restart

# Verify by inspecting logs in /var/log/ambari-agent/ambari-agent.log

INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:49 - Server require two-way SSL authentication. Use it instead of one-way...

INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:175 - Server certicate exists, ok

INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:183 - Agent key exists, ok

INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:191 - Agent certificate exists, ok

INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:93 - SSL Connect being called.. connecting to the server

INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:77 - SSL connection established. Two-way SSL authentication completed successfully.

INFO XXXXXXXXXXXXXXXXXXXXXXX Controller.py:149 - Registration Successful (response id = 0)

INFO XXXXXXXXXXXXXXXXXXXXXXX Controller.py:153 - Got status commands on registration.