Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry

pbhagade
Rising Star

Created ‎01-19-2018 05:17 AM


Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry.

Ranger Admin is stuck at.

2018-01-19 05:05:15,951 [alpha1.openstacklocal-startStop-1] DEBUG org.apache.ranger.biz.ServiceDBStore (ServiceDBStore.java:341) - <== ServiceDefDBStore.initStore()
2018-01-19 05:05:16,244 [alpha1.openstacklocal-startStop-1] DEBUG apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint (RangerAuthenticationEntryPoint.java:66) - AjaxAwareAuthenticationEntryPoint(): constructor
2018-01-19 05:05:16,350 [alpha1.openstacklocal-startStop-1] INFO  apache.ranger.security.web.filter.RangerCSRFPreventionFilter (RangerCSRFPreventionFilter.java:81) - Adding cross-site request forgery (CSRF) protection

So, For Ranger Admin is it necessary to have CN as FQDN of Ranger admin host.
SAN entry's are check first than CN entry right?

1,460 Views
4 REPLIES 4

arald
Super Collaborator

Created ‎01-19-2018 08:02 AM

I think this is what you want to know:

How Browsers Use the Subject Alternative Name Field in Your SSL Certificate

When browsers connect to your server using HTTPS, they check to make sure your SSL Certificate matches the host name in the address bar.

There are three ways for browsers to find a match:

  1. The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
  2. The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
  3. The host name is listed in the Subject Alternative Name field.
1,203 Views
0 Kudos

pbhagade
Rising Star

Created ‎01-19-2018 11:33 AM

I have hostname mentioned in SAN field, still, the service is not coming up.

1,203 Views
0 Kudos

arald
Super Collaborator

Created ‎01-19-2018 12:42 PM

If i get it right, Ranger Admin can't connect to Ranger backend (database?) after you connected to Ranger UI? In this second case it is possible that the Ranger UI (or the Apache server running it) simply doesn't use the SAN information, as this is something that the client/initiator of the connection (normally the browser in https) validates.

1,203 Views
0 Kudos

sroberts
Guru

Created ‎09-07-2018 09:29 AM

Pravin - Did you resolve the issue? According to this JIRA, it's been fixed since Ranger 0.5.3. If not we should raise a new bug.

https://issues.apache.org/jira/browse/RANGER-746

1,203 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements