Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to Configure Ranger and Usersync for LDAP SSL and Certificate

avatar

In the Usync Log we are getting "Unable to find the valid certification path"

Documentation does not have anything on LDAP SSL and ranger.

Ambari and LDAP ssl is working...screen-shot-2015-10-06-at-42559-pm.png

Tried to put the java cacerts as the usersync.trustore file as the LDP cert is in java cacerts.

This does not work.

What is the exact detail process to get LDAP SSL working for Ranger Usync

1 ACCEPTED SOLUTION

avatar

Option 1: For Self Signed Certs in your own TrustStore

  1. Ensure that you LDAP cert was loaded into a trustStore
keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts
  1. Set ranger.ldap.url to ldaps://<host>:389
  2. Set ranger.usersync.truststore.file property to java store. /etc/pki/java/cacerts
  3. Restart Ranger from Ambari
  4. It appears that if Ranger is restarted from Ambari, it does not attach the trustStore /etc/pki/java/cacerts in the Ranger java process. Therefore manually do a ranger-usersync stop, wait until all java processes were dead, then a ranger-usersync start; it should use the self signed cert correctly.
cd /usr/hdp/<version>/ranger-usersync 

service ranger-usersync stop 

service ranger-usersync start

Option 2: For Self Signed Certs Using Default Ranger UserSync TrustStore

  1. The default location is /usr/hdp/current/ranger-usersync/conf/mytruststore.jks for ranger.usersync.truststore.file property.
  2. Alternatively copy the self-signed ca certs and make changes to that.
  3. Set ranger.usersync.truststore.file to that new cacert file.
cp /etc/pki/java/cacerts /usr/hdp/<current>/ranger-usersync/userSyncCAcerts

keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /usr/hdp/2<current>/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert) 

Option 3: Using Certificate Authority Signed Cert in Default Java Store

  1. It appears that the default Java keystore is no longer /etc/pk/java/cacerts but ${JAVA_HOME}/jre/lib/security/cacerts
  2. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts, on all your nodes, or at least on the Name Node, and Ranger Admin/ Usersync nodes
  3. You should not have to manually restart Ranger or perform any keytool imports.
  4. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

Update - Possible Solution to Manual Restarts of Ranger with Self Signed Cert not in ${JAVA_HOME}/jre/lib/security/cacerts:

For Ranger Usersync

Edit /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh

Add  java option > -Djavax.net.ssl.trustStore=/<path to the cacert>

For Ranger Admin

Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

Add parameter -­Djavax.net.ssl.trustStore=<path to the cacerts> to the java call in the script.

View solution in original post

8 REPLIES 8

avatar

Option 1: For Self Signed Certs in your own TrustStore

  1. Ensure that you LDAP cert was loaded into a trustStore
keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts
  1. Set ranger.ldap.url to ldaps://<host>:389
  2. Set ranger.usersync.truststore.file property to java store. /etc/pki/java/cacerts
  3. Restart Ranger from Ambari
  4. It appears that if Ranger is restarted from Ambari, it does not attach the trustStore /etc/pki/java/cacerts in the Ranger java process. Therefore manually do a ranger-usersync stop, wait until all java processes were dead, then a ranger-usersync start; it should use the self signed cert correctly.
cd /usr/hdp/<version>/ranger-usersync 

service ranger-usersync stop 

service ranger-usersync start

Option 2: For Self Signed Certs Using Default Ranger UserSync TrustStore

  1. The default location is /usr/hdp/current/ranger-usersync/conf/mytruststore.jks for ranger.usersync.truststore.file property.
  2. Alternatively copy the self-signed ca certs and make changes to that.
  3. Set ranger.usersync.truststore.file to that new cacert file.
cp /etc/pki/java/cacerts /usr/hdp/<current>/ranger-usersync/userSyncCAcerts

keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /usr/hdp/2<current>/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert) 

Option 3: Using Certificate Authority Signed Cert in Default Java Store

  1. It appears that the default Java keystore is no longer /etc/pk/java/cacerts but ${JAVA_HOME}/jre/lib/security/cacerts
  2. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts, on all your nodes, or at least on the Name Node, and Ranger Admin/ Usersync nodes
  3. You should not have to manually restart Ranger or perform any keytool imports.
  4. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

Update - Possible Solution to Manual Restarts of Ranger with Self Signed Cert not in ${JAVA_HOME}/jre/lib/security/cacerts:

For Ranger Usersync

Edit /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh

Add  java option > -Djavax.net.ssl.trustStore=/<path to the cacert>

For Ranger Admin

Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

Add parameter -­Djavax.net.ssl.trustStore=<path to the cacerts> to the java call in the script.

avatar
Contributor

thank you, good information.

avatar
Rising Star
  1. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts also.

seem this step is necessary even for self-signed certs.

avatar
Super Collaborator

Option 2 didn't work for me.

It is throwing me a message that "Certificate already exists" . I am still getting SSL Handshake Exception for ranger usersync.

Which option worked for you?

avatar
Rising Star

I'm getting the following error after following "Option #2". My Ranger is not TLS/SSL enabled. Please help

18 Dec 2018 12:17:23 INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/stg-agent001-stg-cloud009.XXXXX.nm2@XXXXXX.COM and keytab = /etc/security/keytabs/rangerusersync.service.keytab 18 Dec 2018 12:17:24 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to build Group List : com.sun.jersey.api.client.UniformInterfaceException: POST http://stg-agent001-stg-cloud009.xxxxx.nm2:6080/service/xusers/groups/ returned a response status of 404 Not Found

and

18 Dec 2018 12:17:24 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() completed with user count: 0 18 Dec 2018 12:17:24 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User : com.sun.jersey.api.client.UniformInterfaceException: POST http://stg-agent001-stg-cloud009.xxxxx.nm2:6080/service/xusers/ugsync/auditinfo/ returned a response status of 404 Not Found

avatar

As long as LDAP server's certificate is imported into the truststore used by usersync process, you need not have to edit the scripts or manually restart the services. Restarting from Ambari should just work.

avatar

avatar
Expert Contributor

Be careful with the first option above.
In modern RedHat o CentOS systems you should not manually edit the /etc/pki/java/cacerts file. In fact it is a symbolic link part of the consolidated CA certificates system and its content is handled by the update-ca-trust tools.

Please refer to the update-ca-trust(8) manual page for additional information

# ll cacerts 
lrwxrwxrwx 1 root root 40 Sep 22 12:06 cacerts -> /etc/pki/ca-trust/extracted/java/cacerts