Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to Configure Ranger and Usersync for LDAP SSL and Certificate

Solved Go to solution
Highlighted

How to Configure Ranger and Usersync for LDAP SSL and Certificate

In the Usync Log we are getting "Unable to find the valid certification path"

Documentation does not have anything on LDAP SSL and ranger.

Ambari and LDAP ssl is working...screen-shot-2015-10-06-at-42559-pm.png

Tried to put the java cacerts as the usersync.trustore file as the LDP cert is in java cacerts.

This does not work.

What is the exact detail process to get LDAP SSL working for Ranger Usync

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

Option 1: For Self Signed Certs in your own TrustStore

  1. Ensure that you LDAP cert was loaded into a trustStore
keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts
  1. Set ranger.ldap.url to ldaps://<host>:389
  2. Set ranger.usersync.truststore.file property to java store. /etc/pki/java/cacerts
  3. Restart Ranger from Ambari
  4. It appears that if Ranger is restarted from Ambari, it does not attach the trustStore /etc/pki/java/cacerts in the Ranger java process. Therefore manually do a ranger-usersync stop, wait until all java processes were dead, then a ranger-usersync start; it should use the self signed cert correctly.
cd /usr/hdp/<version>/ranger-usersync 

service ranger-usersync stop 

service ranger-usersync start

Option 2: For Self Signed Certs Using Default Ranger UserSync TrustStore

  1. The default location is /usr/hdp/current/ranger-usersync/conf/mytruststore.jks for ranger.usersync.truststore.file property.
  2. Alternatively copy the self-signed ca certs and make changes to that.
  3. Set ranger.usersync.truststore.file to that new cacert file.
cp /etc/pki/java/cacerts /usr/hdp/<current>/ranger-usersync/userSyncCAcerts

keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /usr/hdp/2<current>/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert) 

Option 3: Using Certificate Authority Signed Cert in Default Java Store

  1. It appears that the default Java keystore is no longer /etc/pk/java/cacerts but ${JAVA_HOME}/jre/lib/security/cacerts
  2. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts, on all your nodes, or at least on the Name Node, and Ranger Admin/ Usersync nodes
  3. You should not have to manually restart Ranger or perform any keytool imports.
  4. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

Update - Possible Solution to Manual Restarts of Ranger with Self Signed Cert not in ${JAVA_HOME}/jre/lib/security/cacerts:

For Ranger Usersync

Edit /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh

Add  java option > -Djavax.net.ssl.trustStore=/<path to the cacert>

For Ranger Admin

Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

Add parameter -­Djavax.net.ssl.trustStore=<path to the cacerts> to the java call in the script.
8 REPLIES 8

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

Option 1: For Self Signed Certs in your own TrustStore

  1. Ensure that you LDAP cert was loaded into a trustStore
keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts
  1. Set ranger.ldap.url to ldaps://<host>:389
  2. Set ranger.usersync.truststore.file property to java store. /etc/pki/java/cacerts
  3. Restart Ranger from Ambari
  4. It appears that if Ranger is restarted from Ambari, it does not attach the trustStore /etc/pki/java/cacerts in the Ranger java process. Therefore manually do a ranger-usersync stop, wait until all java processes were dead, then a ranger-usersync start; it should use the self signed cert correctly.
cd /usr/hdp/<version>/ranger-usersync 

service ranger-usersync stop 

service ranger-usersync start

Option 2: For Self Signed Certs Using Default Ranger UserSync TrustStore

  1. The default location is /usr/hdp/current/ranger-usersync/conf/mytruststore.jks for ranger.usersync.truststore.file property.
  2. Alternatively copy the self-signed ca certs and make changes to that.
  3. Set ranger.usersync.truststore.file to that new cacert file.
cp /etc/pki/java/cacerts /usr/hdp/<current>/ranger-usersync/userSyncCAcerts

keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /usr/hdp/2<current>/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert) 

Option 3: Using Certificate Authority Signed Cert in Default Java Store

  1. It appears that the default Java keystore is no longer /etc/pk/java/cacerts but ${JAVA_HOME}/jre/lib/security/cacerts
  2. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts, on all your nodes, or at least on the Name Node, and Ranger Admin/ Usersync nodes
  3. You should not have to manually restart Ranger or perform any keytool imports.
  4. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

Update - Possible Solution to Manual Restarts of Ranger with Self Signed Cert not in ${JAVA_HOME}/jre/lib/security/cacerts:

For Ranger Usersync

Edit /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh

Add  java option > -Djavax.net.ssl.trustStore=/<path to the cacert>

For Ranger Admin

Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

Add parameter -­Djavax.net.ssl.trustStore=<path to the cacerts> to the java call in the script.

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

New Contributor

thank you, good information.

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

Contributor
  1. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

seem this step is necessary even for self-signed certs.

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

Expert Contributor

Option 2 didn't work for me.

It is throwing me a message that "Certificate already exists" . I am still getting SSL Handshake Exception for ranger usersync.

Which option worked for you?

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

New Contributor

I'm getting the following error after following "Option #2". My Ranger is not TLS/SSL enabled. Please help

18 Dec 2018 12:17:23 INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/stg-agent001-stg-cloud009.XXXXX.nm2@XXXXXX.COM and keytab = /etc/security/keytabs/rangerusersync.service.keytab 18 Dec 2018 12:17:24 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to build Group List : com.sun.jersey.api.client.UniformInterfaceException: POST http://stg-agent001-stg-cloud009.xxxxx.nm2:6080/service/xusers/groups/ returned a response status of 404 Not Found

and

18 Dec 2018 12:17:24 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() completed with user count: 0 18 Dec 2018 12:17:24 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User : com.sun.jersey.api.client.UniformInterfaceException: POST http://stg-agent001-stg-cloud009.xxxxx.nm2:6080/service/xusers/ugsync/auditinfo/ returned a response status of 404 Not Found

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

As long as LDAP server's certificate is imported into the truststore used by usersync process, you need not have to edit the scripts or manually restart the services. Restarting from Ambari should just work.

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

Re: How to Configure Ranger and Usersync for LDAP SSL and Certificate

Expert Contributor

Be careful with the first option above.
In modern RedHat o CentOS systems you should not manually edit the /etc/pki/java/cacerts file. In fact it is a symbolic link part of the consolidated CA certificates system and its content is handled by the update-ca-trust tools.

Please refer to the update-ca-trust(8) manual page for additional information

# ll cacerts 
lrwxrwxrwx 1 root root 40 Sep 22 12:06 cacerts -> /etc/pki/ca-trust/extracted/java/cacerts
Don't have an account?
Coming from Hortonworks? Activate your account here