Community Articles

You can setup encryption for the passwords stored in the Ambari properties file by running:

On the Ambari server host,

ambari-server setup-security 

This creates two files under /var/lib/ambari-server/keys,

1. credentials.jceks

2. master

This article explains how to change the alias passwords stored in credentials.jceks without resetting encryption.

Step 1: Take a backup of existing files

cd /var/lib/ambari-server/keys 
cp master master.old 
cp credentials.jceks credentials.old.jceks 

If your cluster has JDK 1.8.xx installed, follow the below procedure:

<JDK_HOME>/bin/keytool -list -v -keystore credentials.jceks -storetype JCEKS 
Enter keystore password: 

<JDK_HOME>/bin/keytool -delete -alias ambari.ldap.manager.password -keystore credentials.jceks -storetype JCEKS  
Enter keystore password: 

<JDK_HOME>/bin/keytool -importpass -alias ambari.ldap.manager.password -keystore credentials.jceks -storetype JCEKS 
Enter keystore password: 
Enter the password to be stored: 
Re-enter password:
Enter key password for <ambari.ldap.manager.password>
        (RETURN if same as keystore password):   ----> Hit enter

/apps/jdk1.8.0_121/bin/keytool -list -v -keystore credentials.jceks -storetype JCEKS 
Enter keystore password: 

If your cluster is still using JDK 1.7.xx, you can use knoxcli.sh to change the passwords as shown below:

<KNOX_HOME>/bin/knoxcli.sh list-alias --cluster ambari 

<KNOX_HOME>/bin/knoxcli.sh delete-alias ambari.ldap.manager.password --cluster ambari 

<KNOX_HOME>/bin/knoxcli.sh create-alias ambari.ldap.manager.password --cluster ambari --value <password-to-be-stored>