Steps to configure 2way SSL between Ambari-server and Ambari-agent by using custom certs.
Here I have used CA Signed certs at server side and Agent certs are generated dynamically. if you are planning to use CA Signed cert at Agents side then for every Agent install you may have to copy the certs and do manual work.
1. Make sure to have fresh keys folder. (if you do not have one, you can copy the folder from one of the fresh install machine or do following).
- Delete all the crt and csr files that starts with hostname at /var/lib/ambari-server/keys.
- Empty /var/lib/ambari-server/keys/db/index.txt file
- Delete any certs under /var/lib/ambari-server/keys/db/newcerts/
2. - Copy your own Signed Certificate, key files /var/lib/ambari-server/keys/
Ex: certificate name is - ca-cust.crt, ca-cust.key
3. Create PKCS keystore file from your cert and key files.
Ex:openssl pkcs12 -export -inkey /tmpr/keys/ca.key -in ca-cust.crt -out /tmp/keys/keystore.p12
-password pass:bigdata -passin pass:bigdata
Note: replace passwords with appropriate
4. Create pass-cust.txt with appropriate password that is been provided in step3 for keystore.
Ex: echo "bigdata" > pass-cust.txt
5. Configure your ambari.properties with appropriate cert, keys, keystore file names.
6. remove any existing certs in all the Agent hosts at /var/lib/ambari-agent/keys/
7. start ambari-server and ambari-agent logs
Note1: look out for SSL errors in ambari-server logs during startup. this is tried in Ambari2.4.x