Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Contributor

Cloudbreak contains mini KNOX which is not managed by Ambari.

Below are the steps to replace Self Signed Certificate with CA Signed Certificates

Step 1: Remove below two entries from /usr/hdp/current/knox-server/conf/gateway-site.xml and save it.

<property> 
<name>gateway.signing.keystore.name</name> 
<value>signing.jks</value> 
</property> 

<property> 
<name>gateway.signing.key.alias</name> 
<value>signing-identity</value> 
</property> 

Step 2: Take a backup of original configuration:

[~]$ cd /usr/hdp/current/knox-server/data/security/keystores/
[~]$ mkdir backup
[~]$ mv __gateway-credentials.jceks gateway.jks backup/

Step 3: Create a keystore in PKCS12 format from your private key file, certificate, Intermediate certificate and root certificate

[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer -certfile <root_ca>.cer

Step 4: Regenerate Master Key. Use the same password for master key and keystore.

# rm -rf /usr/hdp/current/knox-server/data/security/master 
# ls -l /usr/hdp/current/knox-server/data/security/master 
# /usr/hdp/current/knox-server/bin/knoxcli.sh create-master

Step 5: Generate Knox keystore

[~]$ cp corp_cert_chain.pfx /usr/hdp/current/knox-server/data/security/keystores/
[~]$ cd /usr/hdp/current/knox-server/data/security/keystores/
 
[~]$ keytool -importkeystore  -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore 
gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -destkeypass <knox-master-secret>

Step 6: Replace the alias of keystore

keytool -changealias -alias "1" -destalias "gateway-identity" -keypass keypass -keystore gateway.jks-storepass storepass

Step 7: Store the keystore password in jceks file

[~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase
--value <knox-master-secret>

Step 8: Restart Knox, you should see the below-highlighted lines in your knox logs

[~]$ tail –f /var/log/knox/gateway.log
316 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎10-05-2017 01:06 PM
Updated by:
 
Contributors
Top Kudoed Authors