Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Contributor

I have provided below the implementation steps for integrating KNOX with Loadbalancer assuming once your Loadbalancer is ready.

SSL connection should terminate on Knox servers at Loadbalancer side Sticky session should be enabled. Currently the SSL connection terminates at load balancer side and internally it encrypts and loops through one of the KNOX channels.

JKS file creation

  • OPEN in IE browser the load balancer URL
  • Example:-https://hadoop-knox.dev.XXXXXX.com/
  • Click on lock symbol click on view certificates and Certificate path
choose Root click on view certificate--details--copytofile--base 509 format --save as .pem file
choose intermediateIssuer CA click on view certificate--details--copytofile--base 509 format --save as .pem file
choose loadbalncercert and  click on details--copytofile--base 509 format --save as .pem file

copy these 3 files into knox edge node.

I have copied to certfiles folder

  • /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
  • /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
  • /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

create new JKS file as below

cp /usr/hdp/current/knox-server/data/security/keystores/gateway.jks /tmp/knoxhacerts/dev-knox-test-1.jks

keytool -storepasswd -keystore /tmp/knoxhacerts/dev-knox-test-1.jks

enter current master secret password then change the password by using new password.

Import all the PEM encoded files to these JKS file.
keytool -import -alias rootca-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
keytool -import -alias intca-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
keytool -import -alias dev-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

Ca-cert chain for ODBC:

Copy the contents of all below files by opening in a notepad editor to one merge-chainfile(merge-cacertchain.crt) by

  • /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
  • /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
  • /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

Verification Step:

Use SSLPoke to verify connectivity.

Try the Java class SSLPoke to see if your truststore contains the right certificates. This will let you connect to a SSL service, send a byte of input, and watch the output.

Download SSLPoke.class (https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class)

compile

javac SSLPoke.java

Execute the class as per the below,

 changing the URL and port appropriately.
<JAVA_HOME>/bin/java SSLPoke jira.example.com 443

Failed Scenario:

A failed connection would produce the below: 1 /usr/bin/java SSLPoke jira.example.com 443 2 sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

HAPPY Path:

devenap02.dev.abc.net# java -Djavax.net.ssl.trustStore=/tmp/knoxhacerts/new/dev-knox-test-1.jks SSLPoke  hadoop-knox.dev.XXXXXX.com 443 

Successfully connected

Pls upvote if this article helps.

1,457 Views
Comments
New Contributor

Hi Avoma,

We are trying to setup Load Balancer for knox in our dev hortonworks kerberized cluster. We tried with the single instance knox url and we are able to access hive schemas via knox gateway url using beeline. Now when we are trying to setup LB for knox.

In the steps you have given above "Click on lock symbol click on view certificates and Certificate path" we are able to view certificate of 'UserTrusted' not root. Are we doing anything wrong? or we needs setup some server level setup?

Some more details about our cluster :

Kerberized - Installed Knox on 2 nodes

Pls guide us. Thanks for your help!

regards

Ashokkumar.R

Not applicable

Hi Avoma,

Does it mean that we need to disable SSL in Knox? Is it a http connection between load balancer and Knox gateway?

Thanks,

Balu Rajendran

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎04-27-2017 06:49 PM
Updated by:
 
Contributors
Top Kudoed Authors