Community Articles

Find and share helpful community-sourced technical articles.
avatar
Contributor

Enable SSL for Ambari Infra Solr:

1) Create directory on Infra Solr node:

mkdir -p /etc/security/serverKeys
cd /etc/security/serverKeys

2) Create Infra Solr keystore:

keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass bigdata -storepass bigdata -validity 9999 -keystore infra.solr.keyStore.jks -ext SAN=DNS:{solr-hostname},IP:{solr-host-ip-address} -dname "CN={solr-hostname}, OU=Ambari, O=InfraSolr, L=Location, ST=State, C=Country"

3) Update the keystore file infra.solr.keyStore.jks ownership:

chown infra-solr:hadoop infra.solr.keyStore.jks

4) Update below properties from Ambari under Ambari Infra Config Tab in Advanced infra-solr-env section:

infra_solr_ssl_enabled (Enable SSL to Infra Solr) - true
infra_solr_keystore_location (Infra Solr key store location) - /etc/security/serverKeys/infra.solr.keyStore.jks
infra_solr_keystore_type (Infra Solr key store type) - jks
infra_solr_keystore_password (Infra Solr key store password) - bigdata (Enter password given in -storepass argument while creating keystore)

Here, using the same keystore as truststore.
infra_solr_truststore_location (Infra Solr trust store location) - /etc/security/serverKeys/infra.solr.keyStore.jks
infra_solr_truststore_type (Infra Solr trust store type) - jks
infra_solr_truststore_password (Infra Solr truststore store password) - bigdata (Enter password given in -storepass argument while creating keystore)

5) (Optional, Ambari Infra Solr restart handles setting https urlScheme) Configure Infra Solr cluster properties in Zookeeper:

/usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -zkhost {zookeeper-host}:2181/infra-solr -cmd clusterprop -name urlScheme -val https

6) Restart Ambari Infra Solr.

NOTE: For more detailed explanation on enabling solr in SSL refer: Enabling SSL

Configure Ranger and Ranger Plugins:

1) Create directory on Ranger node as well on Ranger Plugin node:

mkdir -p /etc/security/serverKeys
cd /etc/security/serverKeys

2) Create solr-trust.cer file. Need to export infra.solr.keyStore.jks certificate into it:

keytool -export -keystore infra.solr.keyStore.jks -alias solr-ssl -file solr-trust.cer -storepass bigdata

3) Import Infra Solr certificate into JDK cacerts:

keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit

4) Create Ranger truststore file having Infra Solr certificate:

keytool -import -file solr-trust.cer -alias solr-ranger-trust -keystore rangertruststore -storepass changeit

5) Update the ownership of Ranger truststore file and also update below properties from Ambari under Ranger service config tab in Advanced ranger-admin-site section

chown ranger:hadoop rangertruststore

Properties:
ranger.truststore.file - /etc/security/serverKeys/rangertruststore
ranger.truststore.password - changeit (Enter the password given in -storepass argument while creating truststore)

6) For Ranger Plugin import Infra Solr certificate into JDK cacerts file on the node where Ranger Plugin is enabled:

keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit

7) After updating properties Restart Ranger and Ranger Plugin supported Components.

4,796 Views
Comments
avatar
Expert Contributor

Technically, step 3 and step 4 are mutually exclusive. If you're using the Java cacerts then you don't need to set up a truststore for Ranger and vice-versa.

If doing step 3, make sure you update the correct Java cacerts as the Ranger JVM is started with just the command 'java' (not the full path to java) so if you have both OpenJDK and Oracle JDK installed and your Hadoop JAVA_HOME is set to the Oracle JDK, Ranger will actually be started with OpenJDK if /etc/alternatives has not been updated.

Also, 'rangertruststore' should probably be called 'rangertruststore.jks' for consistency.