Support Questions

Find answers, ask questions, and share your expertise

How to update Ambari truststore and Ranger keystore for "expired" Domain Controllers

avatar
Contributor

Way back when someone set up our Ambari Truststore (ambari-server-truststore.jks) and the Ranger Keystore (ranger-admin-keystore.jks). These file contain certificates for the domain controllers we use.

Lately I've been noticing some LDAP queries getting SSL handshake errors. I've tracked this down to the fact that some of the certificates for the DCs in the truststore/keystore have expired. This means I need to update the jks files with the new keys. Is there a script to do this for all of my domain controllers? Something using openssl and then importing importing with keytool? I've searched long and hard but to no avail. This must be a common task, someone must have a script.

Any suggestions?

1 ACCEPTED SOLUTION

avatar
Master Collaborator

make sure that the Ambari Server trusts the certificate that the LDAP server is using. One quick way to get that certificate directly is to use openssl to retrieve that certificate from the LDAP server, and then explicitly add it to a new keystore:

$ openssl s_client -showcerts -connect ldapserver.domain.com:636

You'll see the certificate printed in STDOUT, just look for BEGIN CERTIFICATE.

You will need to grab the entire certificate including the ----BEGIN and END ---- text, and save it to a file. In this case we'll call it ldap.cert.

Once this has been done you can follow 1.2.(1-3) steps in the doc to create a new JKS keystore and import that certificate to ensure that it's trusted by Ambari: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_configure_...

Now you've got a JKS keystore with that certificate in it, you can tell Ambari to use that when connecting to your LDAP server using SSL by re-running the ambari-server setup-ldap. Just make sure you answer correctly for:

  • Use SSL=true
  • TrustStore type=jks
  • Path to TrustStore file=/etc/ambari-server/keys/ldaps-keystore.jks
  • Password for TrustStore={{ what you typed in step 1.2.3 }}

View solution in original post

1 REPLY 1

avatar
Master Collaborator

make sure that the Ambari Server trusts the certificate that the LDAP server is using. One quick way to get that certificate directly is to use openssl to retrieve that certificate from the LDAP server, and then explicitly add it to a new keystore:

$ openssl s_client -showcerts -connect ldapserver.domain.com:636

You'll see the certificate printed in STDOUT, just look for BEGIN CERTIFICATE.

You will need to grab the entire certificate including the ----BEGIN and END ---- text, and save it to a file. In this case we'll call it ldap.cert.

Once this has been done you can follow 1.2.(1-3) steps in the doc to create a new JKS keystore and import that certificate to ensure that it's trusted by Ambari: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_configure_...

Now you've got a JKS keystore with that certificate in it, you can tell Ambari to use that when connecting to your LDAP server using SSL by re-running the ambari-server setup-ldap. Just make sure you answer correctly for:

  • Use SSL=true
  • TrustStore type=jks
  • Path to TrustStore file=/etc/ambari-server/keys/ldaps-keystore.jks
  • Password for TrustStore={{ what you typed in step 1.2.3 }}