Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Replace Knox self-signed certificate with CA certificate

Labels (1)
Labels:
avatar
author-rank skothari author-rank
Contributor

Created on ‎09-21-2016 02:37 PM

Step 1: Take a backup of original configuration:

[~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores
[~]$ mkdir backup
[~]$ mv __gateway-credentials.jceks gateway.jks backup/

Step 2: Create a keystore in PKCS12 format from your private key file, certificate and root public certificate

[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key
-in <cert.cer> -certfile <root_intermediate>.cer

Step 3: Generate knox keystore

[~]$ cp corp_cert_chain.pfx /var/lib/knox/data-2.4.0.0-169/security/keystores/[~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores/

[~]$ keytool -importkeystore  -srckeystore corp_cert_chain.pfx
-srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass
<src-keystore-password> -deststorepass <knox-master-secret>
-srcalias <src-alias> -destalias gateway-identity -destkeypass <knox-master-secret>

Step 4: Store the keystore password in jceks file

[~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase
--value <knox-master-secret>

Step 5: Restart Knox, you should see the below highlighted lines in your knox logs

[~]$ tail –f /var/log/knox/gateway.log
INFO  hadoop.gateway (JettySSLService.java:init(106)) - Keystore for the gateway instance found - no need to create one.
INFO  hadoop.gateway (JettySSLService.java:logAndValidateCertificate(128)) - The Gateway SSL
certificate is issued to hostname: XXXXXXXXXXXX.
hadoop.gateway (JettySSLService.java:logAndValidateCertificate(131)) - The Gateway SSL
certificate is valid between: 5/3/16 7:00 PM and 5/4/19 6:59 PM.
INFO  hadoop.gateway (GatewayServer.java:startGateway(219)) - Starting gateway...
INFO  hadoop.gateway (GatewayServer.java:start(311)) - Loading topologies from directory:
/usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies
INFO  hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology admin from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/admin.war.152cadc1518
INFO  hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology default from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/default.war.154819e2a38
INFO  hadoop.gateway (GatewayServer.java:start(315)) - Monitoring topologies in directory:
/usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies
INFO  hadoop.gateway (GatewayServer.java:startGateway(232)) - Started gateway on port 8,443
6,946 Views
Comments

Re: Replace Knox self-signed certificate with CA certificate

avatar
author-rank pbhagade author-rank
Expert Contributor

Created on ‎10-11-2017 06:13 PM

Hi @skothari,
From where do we get -srcalias <src-alias> from Step 3 ?

Re: Replace Knox self-signed certificate with CA certificate

avatar
author-rank skothari author-rank
Contributor

Created on ‎10-11-2017 06:43 PM

You can do "keytool -list -v -keystore corp_cert_chain.pfx -keystoretype PKCS12". It would list the alias name.

Basically, we are renaming the alias in the corp certificate to "gateway-identity"

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎09-21-2016 02:37 PM
Updated by:
Contributor Contributor
Contributors