Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Active Directory integration with Kerberos HDP 3.1

Active Directory integration with Kerberos HDP 3.1

Explorer

Hi All,

 

I have .cer certificate with me generated by AD and this is a private one.

We are using this to integrate Ambari with AD as a pre-requisites we need to enable LDAPS I have installed LDAP but wanted to know how to install this certificate, I would like to know the steps to install the certificate in Ambari server.

cluster details:

1 Namenode

2 Datanode

HDP 3.1 

Ambari 2.7.3

 

Regards,

Manjunath P N

8 REPLIES 8

Re: Active Directory integration with Kerberos HDP 3.1

Super Mentor

@Manjunath 

Following doc explains how to setup Ambari Server truststore and then import the AD certificate inside the ambari server truststore.

 

https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/configuring-wire-encryption/content/ssl_for...

 

# ambari-server setup-security
.
.
[4] Setup truststore.
[5] Import certificate to truststore.

 

Option 4 to setup truststore and option 5 to import the AD / LDAP certificate inside that truststore.

 

Re: Active Directory integration with Kerberos HDP 3.1

Explorer

Thank you Jsen,

I would also like to know once after the installation of the certificate will I be able to use curl command example: curl ldaps://exmaple.com:636 because currently i get error like 

curl ldaps://example.com:636
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

But it works well with ldap://example.com:389.

This means the installation of SSL is not done in the proper way right.

 

Regards,

Manjunath

Re: Active Directory integration with Kerberos HDP 3.1

Super Mentor

@Manjunath 

 Have you tried adding "--insecure -v" mode in your CURL command to see any failures?

Example:

# curl "ldaps://yourldap.example.com:636/DC=EXAMPLE.COM?cn,objectClass?sub?(objectClass=)" -u "cn=user1,ou=test_org3,o=dr,DC=EXAMPLE.COM" --insecure -v

 
Are you able to access the AD certificate using openssl as following?

1) Download AD Certificate:

# openssl s_client -connect yourldap.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_server.pem

.

2) Import this AD certificate into a new or existing Ambari Server truststore

# keytool -importcert -file ad_server.pem -alias adserver -trustcacerts -storetype JKS -keystore /var/lib/ambari-server/keys/truststore.jks

.

Re: Active Directory integration with Kerberos HDP 3.1

Explorer

curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --insecure -v
Enter host password for user 'cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local':
* About to connect() to 10.32.83.35 port 636 (#0)
* Trying 10.32.83.35...
* Connected to 10.32.83.35 (10.32.83.35) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA256
* Server certificate:
* subject: CN=gspidn01.gsp.local
* start date: May 16 13:26:47 2019 GMT
* expire date: May 15 13:26:47 2020 GMT
* common name: gspidn01.gsp.local
* issuer: CN=gsp-GSPIDN01-CA,DC=gsp,DC=local
* LDAP local: ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)
* LDAP remote: search failed Success 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'gsp.local'

* Closing connection 0
curl: (39) NSS: client certificate not found (nickname not specified)

 

Output for the 1st command shared.

 

Not able to access the AD certificate using OpenSSL.

 

Regards,

Re: Active Directory integration with Kerberos HDP 3.1

Super Mentor

@Manjunath 

As we see that your curl command is showing the following error:

curl: (39) NSS: client certificate not found (nickname not specified)

 

Hence please try to specify the client certificate using "--cacert /PATH/cacert.pem" as following:

# curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --cacert /PATH/cacert.pem -v

 

.
What is your OS ?  
 I think just try to import the LDAP (AD) certificate to ambari truststore and then restart AmbariServer and then check if it shows any error?

 

Re: Active Directory integration with Kerberos HDP 3.1

Explorer

Hi,

 

This gave some hope that we are in proper direction,

[root@10 security]# curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --cacert /etc/pki/ca-trust/source/anchors/activedirectory.pem -v
Enter host password for user 'cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local':
* About to connect() to 10.32.83.35 port 636 (#0)
* Trying 10.32.83.35...
* Connected to 10.32.83.35 (10.32.83.35) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)

How can I change .pem file path? 

Re: Active Directory integration with Kerberos HDP 3.1

Expert Contributor

To use the system's own commands like "curl", you also need to import the AD certificate (or its root CA's certificate) to the system non-Java truststore.

 

For RHEL 7, the procedure is as follows:

Copy the pem-file to /etc/pki/ca-trust/source/ and run update-ca-trust extract.

Re: Active Directory integration with Kerberos HDP 3.1

Explorer

Here in this step one of the team members did follow some different steps and installed a certificate but now we are unable to remove that whenever I key tool its saying key tool already present <ambari-server> can it be removed completely so that I can start the fresh installation?

If yes could please let me know the steps to completely remove the existing certificate.

Don't have an account?
Coming from Hortonworks? Activate your account here