Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Do we need to add Knox self-signed cert into Ranger keystore?

avatar
Rising Star

It seem that invoking the test from the KNox repository in Ranger failes due to miss path to the cert.

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

1 ACCEPTED SOLUTION

avatar
Super Collaborator

In HDP 2.3 you can do the following for it

cd $GATEWAY_HOME/data/security/keystores 

keytool -exportcert -alias gateway-identity -keystore gateway.jks -file knox.crt
  • no password

Copy knox.crt file onto machine running Ranger admin to a working directory, /usr/hdp/current/ranger-admin/

cd /usr/hdp/current/ranger-admin
cp /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64/jre/lib/security/cacerts cacertswithknox
keytool -import -trustcacerts -file knox.crt -alias knox -keystore cacertswithknox
  • password: changeit
cd /usr/hdp/current/ranger-admin/ews

Add following to /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh

-Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-admin/cacertswithknox

in

start() {
        java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &

        echo "Apache Ranger Admin has started."
}

restart ranger-admin

View solution in original post

5 REPLIES 5

avatar
Super Collaborator

Yes that is right , you need to add self-signed cert into Ranger keystore for Test connection and lookup functionality to work

avatar
Super Collaborator

In HDP 2.3 you can do the following for it

cd $GATEWAY_HOME/data/security/keystores 

keytool -exportcert -alias gateway-identity -keystore gateway.jks -file knox.crt
  • no password

Copy knox.crt file onto machine running Ranger admin to a working directory, /usr/hdp/current/ranger-admin/

cd /usr/hdp/current/ranger-admin
cp /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64/jre/lib/security/cacerts cacertswithknox
keytool -import -trustcacerts -file knox.crt -alias knox -keystore cacertswithknox
  • password: changeit
cd /usr/hdp/current/ranger-admin/ews

Add following to /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh

-Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-admin/cacertswithknox

in

start() {
        java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &

        echo "Apache Ranger Admin has started."
}

restart ranger-admin

avatar
Rising Star

avatar
Guru

Thanks @Ramesh Mani

avatar
Contributor

if above steps don't work then please add/update the value of property 'ranger.truststore.file' and 'ranger.truststore.password' in the ranger-admin module according to your environment :

According to steps mentioned above sample value would be :

ranger.truststore.file=/usr/hdp/current/ranger-admin/cacertswithknox
ranger.truststore.password=changeit