Community Articles

Find and share helpful community-sourced technical articles.
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)
avatar
Contributor

Step 1: Take a backup of original configuration:

[~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores
[~]$ mkdir backup
[~]$ mv __gateway-credentials.jceks gateway.jks backup/

Step 2: Create a keystore in PKCS12 format from your private key file, certificate and root public certificate

[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key
-in <cert.cer> -certfile <root_intermediate>.cer

Step 3: Generate knox keystore

[~]$ cp corp_cert_chain.pfx /var/lib/knox/data-2.4.0.0-169/security/keystores/[~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores/

[~]$ keytool -importkeystore  -srckeystore corp_cert_chain.pfx
-srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass
<src-keystore-password> -deststorepass <knox-master-secret>
-srcalias <src-alias> -destalias gateway-identity -destkeypass <knox-master-secret>

Step 4: Store the keystore password in jceks file

[~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase
--value <knox-master-secret>

Step 5: Restart Knox, you should see the below highlighted lines in your knox logs

[~]$ tail –f /var/log/knox/gateway.log
INFO  hadoop.gateway (JettySSLService.java:init(106)) - Keystore for the gateway instance found - no need to create one.
INFO  hadoop.gateway (JettySSLService.java:logAndValidateCertificate(128)) - The Gateway SSL
certificate is issued to hostname: XXXXXXXXXXXX.
hadoop.gateway (JettySSLService.java:logAndValidateCertificate(131)) - The Gateway SSL
certificate is valid between: 5/3/16 7:00 PM and 5/4/19 6:59 PM.
INFO  hadoop.gateway (GatewayServer.java:startGateway(219)) - Starting gateway...
INFO  hadoop.gateway (GatewayServer.java:start(311)) - Loading topologies from directory:
/usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies
INFO  hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology admin from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/admin.war.152cadc1518
INFO  hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology default from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/default.war.154819e2a38
INFO  hadoop.gateway (GatewayServer.java:start(315)) - Monitoring topologies in directory:
/usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies
INFO  hadoop.gateway (GatewayServer.java:startGateway(232)) - Started gateway on port 8,443
6,375 Views
Comments
avatar
Expert Contributor

Hi @skothari,
From where do we get -srcalias <src-alias> from Step 3 ?

avatar
Contributor

You can do "keytool -list -v -keystore corp_cert_chain.pfx -keystoretype PKCS12". It would list the alias name.

Basically, we are renaming the alias in the corp certificate to "gateway-identity"

Version history
Last update:
‎09-21-2016 02:37 PM
Updated by:
Contributors