While enabling SSL for Ranger (I am writing for Ranger 0.4 from HDP2.2.4, configured by Ambari) I ran into issues loosing some days. The critical points are
verify that property "Common Name For Certificate" in Ranger policy definition AND in Plugin configuration is matching the DN of your used certificate
if you use HA enabled services like Namenode-HA, you have to use the same cert (at least) throughout both Namenodes to match the "Common Name for Certificate".
!! Do not use the servers FQDN for the DN property at certification creation time !!
This is the step-by-step instruction what I did to make it work. Please keep in mind that I will use ONE certificate throughout all nodes. If that does not match your security criteria, you have to adapt the steps accordingly
export Ranger-admin key to .cer file and distribute that throughout all cluster nodes
sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer
# copy the .cer to all the other hosts
ssh to one master, e.g. the active namenode
create certificate ( this will be used on all other hosts as well)
sudo /usr/java/jdk1.7.0_79/bin/keytool -genkey -noprompt -dname "CN=commonname, OU=test, O=test" -keyalg RSA -alias rangeragent -keystore ranger-agent-keystore.jks -validity 360 -keysize 2048 -storepass <password>
# keep the storepass in mind for configuring the plugins later on in Ambari
# important is the "commonname", you need this value in Ranger repository definition and in the Ranger plugin configuration
export that cert and disribute it to all nodes in the cluster
sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/hadoop/conf/ranger-agent-keystore.jks -alias rangeragent -file ranger-agent.cer
create a truststore ON ALL NODES for the ranger-admin cert (the one from step 2. )
sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore /etc/hadoop/conf/ranger-admin-truststore.jks -storepass <password>
# do this on all nodes where ranger plugins will become active
import the "client" cert (the one from step 4. ) on the ranger-admin node into the default java keystore "cacerts"
sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file ranger-agent.cer -alias rangeragent -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts -storepass <cacerts-password>
Now that the underlying SSL stuff has been setup you can proceed configuring Ranger and the Ranger-plugins in Ambari by providing: