Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to Configure Ranger and Usersync for LDAP SSL and Certificate

Labels:
avatar
author-rank amcbarnett
Guru

Created ‎10-06-2015 08:33 PM

In the Usync Log we are getting "Unable to find the valid certification path"

Documentation does not have anything on LDAP SSL and ranger.

Ambari and LDAP ssl is working...screen-shot-2015-10-06-at-42559-pm.png

Tried to put the java cacerts as the usersync.trustore file as the LDP cert is in java cacerts.

This does not work.

What is the exact detail process to get LDAP SSL working for Ranger Usync

12,003 Views
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created ‎10-06-2015 11:41 PM

Option 1: For Self Signed Certs in your own TrustStore

  1. Ensure that you LDAP cert was loaded into a trustStore
keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts
  1. Set ranger.ldap.url to ldaps://<host>:389
  2. Set ranger.usersync.truststore.file property to java store. /etc/pki/java/cacerts
  3. Restart Ranger from Ambari
  4. It appears that if Ranger is restarted from Ambari, it does not attach the trustStore /etc/pki/java/cacerts in the Ranger java process. Therefore manually do a ranger-usersync stop, wait until all java processes were dead, then a ranger-usersync start; it should use the self signed cert correctly.
cd /usr/hdp/<version>/ranger-usersync 

service ranger-usersync stop 

service ranger-usersync start

Option 2: For Self Signed Certs Using Default Ranger UserSync TrustStore

  1. The default location is /usr/hdp/current/ranger-usersync/conf/mytruststore.jks for ranger.usersync.truststore.file property.
  2. Alternatively copy the self-signed ca certs and make changes to that.
  3. Set ranger.usersync.truststore.file to that new cacert file.
cp /etc/pki/java/cacerts /usr/hdp/<current>/ranger-usersync/userSyncCAcerts

keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /usr/hdp/2<current>/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert)

Option 3: Using Certificate Authority Signed Cert in Default Java Store

  1. It appears that the default Java keystore is no longer /etc/pk/java/cacerts but ${JAVA_HOME}/jre/lib/security/cacerts
  2. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts, on all your nodes, or at least on the Name Node, and Ranger Admin/ Usersync nodes
  3. You should not have to manually restart Ranger or perform any keytool imports.
  4. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

Update - Possible Solution to Manual Restarts of Ranger with Self Signed Cert not in ${JAVA_HOME}/jre/lib/security/cacerts:

For Ranger Usersync

Edit /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh

Add  java option > -Djavax.net.ssl.trustStore=/<path to the cacert>

For Ranger Admin

Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

Add parameter -­Djavax.net.ssl.trustStore=<path to the cacerts> to the java call in the script.

View solution in original post

7,650 Views
8 REPLIES 8

avatar
author-rank amcbarnett
Guru

Created ‎10-06-2015 11:41 PM

Option 1: For Self Signed Certs in your own TrustStore

  1. Ensure that you LDAP cert was loaded into a trustStore
keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts
  1. Set ranger.ldap.url to ldaps://<host>:389
  2. Set ranger.usersync.truststore.file property to java store. /etc/pki/java/cacerts
  3. Restart Ranger from Ambari
  4. It appears that if Ranger is restarted from Ambari, it does not attach the trustStore /etc/pki/java/cacerts in the Ranger java process. Therefore manually do a ranger-usersync stop, wait until all java processes were dead, then a ranger-usersync start; it should use the self signed cert correctly.
cd /usr/hdp/<version>/ranger-usersync 

service ranger-usersync stop 

service ranger-usersync start

Option 2: For Self Signed Certs Using Default Ranger UserSync TrustStore

  1. The default location is /usr/hdp/current/ranger-usersync/conf/mytruststore.jks for ranger.usersync.truststore.file property.
  2. Alternatively copy the self-signed ca certs and make changes to that.
  3. Set ranger.usersync.truststore.file to that new cacert file.
cp /etc/pki/java/cacerts /usr/hdp/<current>/ranger-usersync/userSyncCAcerts

keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /usr/hdp/2<current>/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert)

Option 3: Using Certificate Authority Signed Cert in Default Java Store

  1. It appears that the default Java keystore is no longer /etc/pk/java/cacerts but ${JAVA_HOME}/jre/lib/security/cacerts
  2. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts, on all your nodes, or at least on the Name Node, and Ranger Admin/ Usersync nodes
  3. You should not have to manually restart Ranger or perform any keytool imports.
  4. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

Update - Possible Solution to Manual Restarts of Ranger with Self Signed Cert not in ${JAVA_HOME}/jre/lib/security/cacerts:

For Ranger Usersync

Edit /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh

Add  java option > -Djavax.net.ssl.trustStore=/<path to the cacert>

For Ranger Admin

Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

Add parameter -­Djavax.net.ssl.trustStore=<path to the cacerts> to the java call in the script.
7,651 Views

avatar
author-rank skonduru
Contributor

Created ‎10-30-2015 01:29 AM

thank you, good information.

7,650 Views
0 Kudos

avatar
author-rank hfaouaz
Rising Star

Created ‎11-04-2015 12:10 AM

  1. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

seem this step is necessary even for self-signed certs.

7,650 Views
0 Kudos

avatar
author-rank pradeep_bhadani
Super Collaborator

Created ‎07-15-2016 10:20 AM

Option 2 didn't work for me.

It is throwing me a message that "Certificate already exists" . I am still getting SSL Handshake Exception for ranger usersync.

Which option worked for you?

7,650 Views
0 Kudos

avatar
author-rank sheshk11
Rising Star

Created ‎12-18-2018 12:53 PM

I'm getting the following error after following "Option #2". My Ranger is not TLS/SSL enabled. Please help

18 Dec 2018 12:17:23 INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/stg-agent001-stg-cloud009.XXXXX.nm2@XXXXXX.COM and keytab = /etc/security/keytabs/rangerusersync.service.keytab 18 Dec 2018 12:17:24 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to build Group List : com.sun.jersey.api.client.UniformInterfaceException: POST http://stg-agent001-stg-cloud009.xxxxx.nm2:6080/service/xusers/groups/ returned a response status of 404 Not Found

and

18 Dec 2018 12:17:24 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() completed with user count: 0 18 Dec 2018 12:17:24 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User : com.sun.jersey.api.client.UniformInterfaceException: POST http://stg-agent001-stg-cloud009.xxxxx.nm2:6080/service/xusers/ugsync/auditinfo/ returned a response status of 404 Not Found

7,650 Views
0 Kudos

avatar
author-rank vperiasamy author-rank
Guru

Created ‎10-31-2015 08:24 AM

As long as LDAP server's certificate is imported into the truststore used by usersync process, you need not have to edit the scripts or manually restart the services. Restarting from Ambari should just work.

7,650 Views

avatar
author-rank dvillarreal
Guru

Created ‎03-14-2016 04:23 PM

https://issues.apache.org/jira/browse/RANGER-840

7,650 Views

avatar
author-rank lvazquez
Expert Contributor

Created ‎11-20-2017 05:32 PM

Be careful with the first option above.
In modern RedHat o CentOS systems you should not manually edit the /etc/pki/java/cacerts file. In fact it is a symbolic link part of the consolidated CA certificates system and its content is handled by the update-ca-trust tools.

Please refer to the update-ca-trust(8) manual page for additional information

# ll cacerts 
lrwxrwxrwx 1 root root 40 Sep 22 12:06 cacerts -> /etc/pki/ca-trust/extracted/java/cacerts
7,650 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements