Support Questions

cjervis · ‎08-19-2019

Hi All,

I have .cer certificate with me generated by AD and this is a private one.

We are using this to integrate Ambari with AD as a pre-requisites we need to enable LDAPS I have installed LDAP but wanted to know how to install this certificate, I would like to know the steps to install the certificate in Ambari server.

cluster details:

1 Namenode

2 Datanode

HDP 3.1

Ambari 2.7.3

Regards,

Manjunath P N

jsensharma · ‎08-19-2019

@Manjunath

Following doc explains how to setup Ambari Server truststore and then import the AD certificate inside the ambari server truststore.

https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/configuring-wire-encryption/content/ssl_for...

# ambari-server setup-security
.
.
[4] Setup truststore.
[5] Import certificate to truststore.

Option 4 to setup truststore and option 5 to import the AD / LDAP certificate inside that truststore.

Manjunath · ‎08-19-2019

Thank you Jsen,

I would also like to know once after the installation of the certificate will I be able to use curl command example: curl ldaps://exmaple.com:636 because currently i get error like

curl ldaps://example.com:636
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

But it works well with ldap://example.com:389.

This means the installation of SSL is not done in the proper way right.

Regards,

Manjunath

jsensharma · ‎08-20-2019

@Manjunath

Have you tried adding "--insecure -v" mode in your CURL command to see any failures?

Example:

# curl "ldaps://yourldap.example.com:636/DC=EXAMPLE.COM?cn,objectClass?sub?(objectClass=)" -u "cn=user1,ou=test_org3,o=dr,DC=EXAMPLE.COM" --insecure -v

Are you able to access the AD certificate using openssl as following?

1) Download AD Certificate:

# openssl s_client -connect yourldap.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_server.pem

.

2) Import this AD certificate into a new or existing Ambari Server truststore

# keytool -importcert -file ad_server.pem -alias adserver -trustcacerts -storetype JKS -keystore /var/lib/ambari-server/keys/truststore.jks

.

Manjunath · ‎08-20-2019

curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --insecure -v
Enter host password for user 'cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local':
* About to connect() to 10.32.83.35 port 636 (#0)
* Trying 10.32.83.35...
* Connected to 10.32.83.35 (10.32.83.35) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA256
* Server certificate:
* subject: CN=gspidn01.gsp.local
* start date: May 16 13:26:47 2019 GMT
* expire date: May 15 13:26:47 2020 GMT
* common name: gspidn01.gsp.local
* issuer: CN=gsp-GSPIDN01-CA,DC=gsp,DC=local
* LDAP local: ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)
* LDAP remote: search failed Success 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'gsp.local'

* Closing connection 0
curl: (39) NSS: client certificate not found (nickname not specified)

Output for the 1st command shared.

Not able to access the AD certificate using OpenSSL.

Regards,

jsensharma · ‎08-20-2019

@Manjunath

As we see that your curl command is showing the following error:

curl: (39) NSS: client certificate not found (nickname not specified)

Hence please try to specify the client certificate using "--cacert /PATH/cacert.pem" as following:

# curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --cacert /PATH/cacert.pem -v

.
What is your OS ?
I think just try to import the LDAP (AD) certificate to ambari truststore and then restart AmbariServer and then check if it shows any error?

Manjunath · ‎08-20-2019

Hi,

This gave some hope that we are in proper direction,

[root@10 security]# curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --cacert /etc/pki/ca-trust/source/anchors/activedirectory.pem -v
Enter host password for user 'cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local':
* About to connect() to 10.32.83.35 port 636 (#0)
* Trying 10.32.83.35...
* Connected to 10.32.83.35 (10.32.83.35) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)

How can I change .pem file path?

benhadoop · ‎08-20-2019

To use the system's own commands like "curl", you also need to import the AD certificate (or its root CA's certificate) to the system non-Java truststore.

For RHEL 7, the procedure is as follows:

Copy the pem-file to /etc/pki/ca-trust/source/ and run update-ca-trust extract.

Manjunath · ‎08-20-2019

Here in this step one of the team members did follow some different steps and installed a certificate but now we are unable to remove that whenever I key tool its saying key tool already present <ambari-server> can it be removed completely so that I can start the fresh installation?

If yes could please let me know the steps to completely remove the existing certificate.

Support Questions

Active Directory integration with Kerberos HDP 3.1