Community Articles
Find and share helpful community-sourced technical articles
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)

Step 1: Take a backup of original configuration:

[~]$ cd /var/lib/knox/data-
[~]$ mkdir backup
[~]$ mv __gateway-credentials.jceks gateway.jks backup/

Step 2: Create a keystore in PKCS12 format from your private key file, certificate and root public certificate

[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key
-in <cert.cer> -certfile <root_intermediate>.cer

Step 3: Generate knox keystore

[~]$ cp corp_cert_chain.pfx /var/lib/knox/data-[~]$ cd /var/lib/knox/data-

[~]$ keytool -importkeystore  -srckeystore corp_cert_chain.pfx
-srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass
<src-keystore-password> -deststorepass <knox-master-secret>
-srcalias <src-alias> -destalias gateway-identity -destkeypass <knox-master-secret>

Step 4: Store the keystore password in jceks file

[~]$ /usr/hdp/current/knox-server/bin/ create-alias gateway-identity-passphrase
--value <knox-master-secret>

Step 5: Restart Knox, you should see the below highlighted lines in your knox logs

[~]$ tail –f /var/log/knox/gateway.log
INFO  hadoop.gateway ( - Keystore for the gateway instance found - no need to create one.
INFO  hadoop.gateway ( - The Gateway SSL
certificate is issued to hostname: XXXXXXXXXXXX.
hadoop.gateway ( - The Gateway SSL
certificate is valid between: 5/3/16 7:00 PM and 5/4/19 6:59 PM.
INFO  hadoop.gateway ( - Starting gateway...
INFO  hadoop.gateway ( - Loading topologies from directory:
INFO  hadoop.gateway ( - Loading topology admin from /usr/hdp/
INFO  hadoop.gateway ( - Loading topology default from /usr/hdp/
INFO  hadoop.gateway ( - Monitoring topologies in directory:
INFO  hadoop.gateway ( - Started gateway on port 8,443

Hi @skothari,
From where do we get -srcalias <src-alias> from Step 3 ?


You can do "keytool -list -v -keystore corp_cert_chain.pfx -keystoretype PKCS12". It would list the alias name.

Basically, we are renaming the alias in the corp certificate to "gateway-identity"

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎09-21-2016 02:37 PM
Updated by:
Top Kudoed Authors