Community Articles

Find and share helpful community-sourced technical articles.
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)
Expert Contributor

I have provided below the implementation steps for integrating KNOX with Loadbalancer assuming once your Loadbalancer is ready.

SSL connection should terminate on Knox servers at Loadbalancer side Sticky session should be enabled. Currently the SSL connection terminates at load balancer side and internally it encrypts and loops through one of the KNOX channels.

JKS file creation

  • OPEN in IE browser the load balancer URL
  • Example:-
  • Click on lock symbol click on view certificates and Certificate path
choose Root click on view certificate--details--copytofile--base 509 format --save as .pem file
choose intermediateIssuer CA click on view certificate--details--copytofile--base 509 format --save as .pem file
choose loadbalncercert and  click on details--copytofile--base 509 format --save as .pem file

copy these 3 files into knox edge node.

I have copied to certfiles folder

  • /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
  • /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
  • /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

create new JKS file as below

cp /usr/hdp/current/knox-server/data/security/keystores/gateway.jks /tmp/knoxhacerts/dev-knox-test-1.jks

keytool -storepasswd -keystore /tmp/knoxhacerts/dev-knox-test-1.jks

enter current master secret password then change the password by using new password.

Import all the PEM encoded files to these JKS file.
keytool -import -alias rootca-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
keytool -import -alias intca-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
keytool -import -alias dev-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

Ca-cert chain for ODBC:

Copy the contents of all below files by opening in a notepad editor to one merge-chainfile(merge-cacertchain.crt) by

  • /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
  • /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
  • /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

Verification Step:

Use SSLPoke to verify connectivity.

Try the Java class SSLPoke to see if your truststore contains the right certificates. This will let you connect to a SSL service, send a byte of input, and watch the output.

Download SSLPoke.class (



Execute the class as per the below,

 changing the URL and port appropriately.
<JAVA_HOME>/bin/java SSLPoke 443

Failed Scenario:

A failed connection would produce the below: 1 /usr/bin/java SSLPoke 443 2 PKIX path building failed: unable to find valid certification path to requested target

HAPPY Path: java SSLPoke 443 

Successfully connected

Pls upvote if this article helps.


Hi Avoma,

We are trying to setup Load Balancer for knox in our dev hortonworks kerberized cluster. We tried with the single instance knox url and we are able to access hive schemas via knox gateway url using beeline. Now when we are trying to setup LB for knox.

In the steps you have given above "Click on lock symbol click on view certificates and Certificate path" we are able to view certificate of 'UserTrusted' not root. Are we doing anything wrong? or we needs setup some server level setup?

Some more details about our cluster :

Kerberized - Installed Knox on 2 nodes

Pls guide us. Thanks for your help!



New Contributor

Hi Avoma,

Does it mean that we need to disable SSL in Knox? Is it a http connection between load balancer and Knox gateway?


Balu Rajendran

Version history
Last update:
‎04-27-2017 06:49 PM
Updated by: