Support Questions
Find answers, ask questions, and share your expertise

How to configure Knox with existing SSL Certificate?

Expert Contributor

How do I import an existing SSL certificate to be used by Knox?

1 ACCEPTED SOLUTION

For a CA-signed certificate, follow the steps in Section 10 "Gateway Security" of the HDP doc Knox Gateway Admin Guide.

Additional details are available in the Keystores section of the Apache Knox User Guide.

View solution in original post

4 REPLIES 4

Cloudera Employee

Seems there are hard references to keystore file and gateway alias in the knox implementation.

Import client CA signed certs to default keystore file with default alias name. Default Keystore: /var/lib/knox/data/security/keystores/gateway.jks

Default Alias: gateway-identity

For a CA-signed certificate, follow the steps in Section 10 "Gateway Security" of the HDP doc Knox Gateway Admin Guide.

Additional details are available in the Keystores section of the Apache Knox User Guide.

Contributor

The links provided by @amiller@hortonworks.com are a great place to start. PKI and SSL configuration are one of those security topics that are difficult to answer in a generic way. There are some prerequisites to being able to answer this question for someone or to be able to approach this in the field.

For instance, the Apache Knox User Guide link above provides a generic end-to-end answer if you need to accomplish all of the steps on your own. Often, a customer will have a security department that they need to request the certificate/key pair from and a company internal process to follow in order to do so. The steps in the User Guide related to requesting the certificate from an authority can then be replaced with that internal process.

Once a certificate/key pair is in hand, we have a couple things to do:

1. determine what needs to be done to import it into the gateway.jks keystore

a. depending on the format of the provided key pair - it may need to be converted to a format that can be imported - openssl is a great tool for doing these conversions

b. as the apache docs describe the signing cert may also need to be imported

c. be sure to import the public certificate and the private key for setting up the gateway-identity alias - importing just the certificate is for setting up trusted certs not identity certs.

2. determine whether the public key needs to be added to any client truststores

a. this is where we import just the public certificate of the trusted entity - hopefully in an existing certificate scenario the CA cert is already trusted

The above are some guidelines for understanding what is needed in general for SSL certificate/key pair provisioning. Some handy Knox specifics:

1. {GATEWAY_HOME}/data/security/keystores/gateway.jks

This is the identity keystore for the Knox Gateway and needs the public and private keys as well as any signing certs. (see apache docs) The expected alias for the certificate is gateway-identity.

2. {GATEWAY_HOME}/data/security/keystores/__gateway-credentials.jceks

This is the credential store for the gateway itself and you will want to add a credential to this that protects the private key passphrase used when you import the key pair into the identity store. This is done with knoxcli.sh create-alias gateway-identity-passphrase --value {value}.

3. The master secret for the gateway is used as the keystore password and must also be used to import the key pair. If you choose to make the private key passphrase the same as the master secret then you can skip #2 above.

Hopefully this provides not just specific steps but some background on what you need to understand for SSL configuration.

; ;