Created on 10-05-2017 01:06 PM
Cloudbreak contains mini KNOX which is not managed by Ambari.
Below are the steps to replace Self Signed Certificate with CA Signed Certificates
Step 1: Remove below two entries from /usr/hdp/current/knox-server/conf/gateway-site.xml and save it.
<property> <name>gateway.signing.keystore.name</name> <value>signing.jks</value> </property> <property> <name>gateway.signing.key.alias</name> <value>signing-identity</value> </property>
Step 2: Take a backup of original configuration:
[~]$ cd /usr/hdp/current/knox-server/data/security/keystores/ [~]$ mkdir backup [~]$ mv __gateway-credentials.jceks gateway.jks backup/
Step 3: Create a keystore in PKCS12 format from your private key file, certificate, Intermediate certificate and root certificate
[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer -certfile <root_ca>.cer
Step 4: Regenerate Master Key. Use the same password for master key and keystore.
# rm -rf /usr/hdp/current/knox-server/data/security/master # ls -l /usr/hdp/current/knox-server/data/security/master # /usr/hdp/current/knox-server/bin/knoxcli.sh create-master
Step 5: Generate Knox keystore
[~]$ cp corp_cert_chain.pfx /usr/hdp/current/knox-server/data/security/keystores/ [~]$ cd /usr/hdp/current/knox-server/data/security/keystores/ [~]$ keytool -importkeystore -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -destkeypass <knox-master-secret>
Step 6: Replace the alias of keystore
keytool -changealias -alias "1" -destalias "gateway-identity" -keypass keypass -keystore gateway.jks-storepass storepass
Step 7: Store the keystore password in jceks file
[~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase --value <knox-master-secret>
Step 8: Restart Knox, you should see the below-highlighted lines in your knox logs
[~]$ tail –f /var/log/knox/gateway.log