Community Articles
Find and share helpful community-sourced technical articles

Cloudbreak contains mini KNOX which is not managed by Ambari.

Below are the steps to replace Self Signed Certificate with CA Signed Certificates

Step 1: Remove below two entries from /usr/hdp/current/knox-server/conf/gateway-site.xml and save it.



Step 2: Take a backup of original configuration:

[~]$ cd /usr/hdp/current/knox-server/data/security/keystores/
[~]$ mkdir backup
[~]$ mv __gateway-credentials.jceks gateway.jks backup/

Step 3: Create a keystore in PKCS12 format from your private key file, certificate, Intermediate certificate and root certificate

[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer -certfile <root_ca>.cer

Step 4: Regenerate Master Key. Use the same password for master key and keystore.

# rm -rf /usr/hdp/current/knox-server/data/security/master 
# ls -l /usr/hdp/current/knox-server/data/security/master 
# /usr/hdp/current/knox-server/bin/ create-master

Step 5: Generate Knox keystore

[~]$ cp corp_cert_chain.pfx /usr/hdp/current/knox-server/data/security/keystores/
[~]$ cd /usr/hdp/current/knox-server/data/security/keystores/
[~]$ keytool -importkeystore  -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore 
gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -destkeypass <knox-master-secret>

Step 6: Replace the alias of keystore

keytool -changealias -alias "1" -destalias "gateway-identity" -keypass keypass -keystore gateway.jks-storepass storepass

Step 7: Store the keystore password in jceks file

[~]$ /usr/hdp/current/knox-server/bin/ create-alias gateway-identity-passphrase
--value <knox-master-secret>

Step 8: Restart Knox, you should see the below-highlighted lines in your knox logs

[~]$ tail –f /var/log/knox/gateway.log