Community Articles

I have provided below the implementation steps for integrating KNOX with Loadbalancer assuming once your Loadbalancer is ready.

SSL connection should terminate on Knox servers at Loadbalancer side Sticky session should be enabled. Currently the SSL connection terminates at load balancer side and internally it encrypts and loops through one of the KNOX channels.

JKS file creation

• OPEN in IE browser the load balancer URL
• Example:-https://hadoop-knox.dev.XXXXXX.com/
• Click on lock symbol click on view certificates and Certificate path

choose Root click on view certificate--details--copytofile--base 509 format --save as .pem file
choose intermediateIssuer CA click on view certificate--details--copytofile--base 509 format --save as .pem file
choose loadbalncercert and  click on details--copytofile--base 509 format --save as .pem file

copy these 3 files into knox edge node.

I have copied to certfiles folder

• /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
• /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
• /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

create new JKS file as below

cp /usr/hdp/current/knox-server/data/security/keystores/gateway.jks /tmp/knoxhacerts/dev-knox-test-1.jks

keytool -storepasswd -keystore /tmp/knoxhacerts/dev-knox-test-1.jks

enter current master secret password then change the password by using new password.

Import all the PEM encoded files to these JKS file.
keytool -import -alias rootca-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
keytool -import -alias intca-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
keytool -import -alias dev-lb -keystore dev-knox-test-1.jks -file  /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

Ca-cert chain for ODBC:

Copy the contents of all below files by opening in a notepad editor to one merge-chainfile(merge-cacertchain.crt) by

• /tmp/knoxhacerts/new/certfiles/lb-rootca.pem
• /tmp/knoxhacerts/new/certfiles/lb-intermediate-issuer.pem
• /tmp/knoxhacerts/new/certfiles/hadoop-knox-dev-lb.pem

Verification Step:

Use SSLPoke to verify connectivity.

Try the Java class SSLPoke to see if your truststore contains the right certificates. This will let you connect to a SSL service, send a byte of input, and watch the output.

Download SSLPoke.class (https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class)

compile

javac SSLPoke.java

Execute the class as per the below,

 changing the URL and port appropriately.
<JAVA_HOME>/bin/java SSLPoke jira.example.com 443

Failed Scenario:

A failed connection would produce the below: 1 /usr/bin/java SSLPoke jira.example.com 443 2 sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

HAPPY Path:

devenap02.dev.abc.net# java -Djavax.net.ssl.trustStore=/tmp/knoxhacerts/new/dev-knox-test-1.jks SSLPoke  hadoop-knox.dev.XXXXXX.com 443 

Successfully connected

Pls upvote if this article helps.