Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Two Way SSL between Ambari Server and Agents

avatar
author-rank anrathen
Rising Star

Created ‎05-29-2017 05:49 PM

I am trying to configure and enable two-way ssl communication between the ambari-server and agents. I understand that just enabling the setting ‘security.server.two_way_ssl=true’ in the /etc/ambari-server/conf/ambari.properties will auto generate the certs on the nodes and ambari server acts as a CA to sign it.

We have CA-signed certs for these servers, and I was trying to follow the steps listed in this article: https://community.hortonworks.com/articles/66860/enable-two-way-ssl-between-ambari-server-and-ambar....

The CA-signed certificate I have is just certificate with multiple SAN names for all the nodes in the cluster.

According to the above article, if we want to use CA certs for both the server and agent, I have to copy the .crt and .key file to /var/lib/ambari-server/keys and /var/lib/ambari-agent/keys folder on all the servers and agent nodes.

Though I have secured the Hadoop services in the HDP Cluster using the CA-signed certs, we have the truststore and keystores in the /etc/security/serverKeys folder and the 'private key file' itself is not present on all the nodes. But the two-way ssl requires the private key file to be present on the agent nodes.

My question is, is having the private key file on all the agent nodes is riskier?

Or should I just go with using, the CA-signed cert/ key only for the ambari-server side and have the agents get a auto-generated key pair and cert signed by the Ambari server?

If I do self-signed certs for the this two_way_ssl setup, then we have 2 sets of certificates used and maintained on the cluster ie., one set used by the services and one self-signed auto-generated by the ambari server.

P.S.: The cluster does not have Ranger yet, it is Kerberized with AD and HTTPS enabled for the Hadoop services and Ambari server.

Please advise.

1,953 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎06-05-2017 02:46 PM

@Anitha R,

For SSL, any client or server that wishes to present a certificate needs to have access to the relevant private key to prove that they are the owner of the certificate. Else you could distribute the public key (and certificate) anywhere you want and that identity would be usable willy-nilly - which is rather insecure. That said, any private key needs to be kept secure to ensure only those that need it get access to it, else your security has been compromised.

When enabling "2-way SSL", both the server and agents are required to present certificates during the SSL handshake. As opposed to "1-way SSL", which uses the same SSL-secured channel as the "2-way" feature, but only the Ambari server is required to present a certificate. So the "2-way SSL" option increases the security of the connection in that the client now must be trusted before data is sent or received over that channel.

That said...

My question is, is having the private key file on all the agent nodes is riskier?

The more copies of the private key file that exist, the more chances there are that one of those copies are not secured. However, if you can ensure that the file is secure and that only those that absolute need to have access to it, have access to it; then you should be ok. However, this file must be available for the Ambari agent to use so that it may prove its identity.

Or should I just go with using, the CA-signed cert/ key only for the ambari-server side and have the agents get a auto-generated key pair and cert signed by the Ambari server?

The CA signed certs are more secure that the Ambari-generated ones since they are harder to come by. Ambari will create certs for any agent or client that looks like an agent as long as they know how to properly ask for it. I may have to do more research on why one would use "2-way SSL" where Ambari is signing the client certs, but I tend to ask my self this is useful at all.

View solution in original post

1,230 Views
0 Kudos
2 REPLIES 2

avatar
author-rank rlevas
Guru

Created ‎06-05-2017 02:46 PM

@Anitha R,

For SSL, any client or server that wishes to present a certificate needs to have access to the relevant private key to prove that they are the owner of the certificate. Else you could distribute the public key (and certificate) anywhere you want and that identity would be usable willy-nilly - which is rather insecure. That said, any private key needs to be kept secure to ensure only those that need it get access to it, else your security has been compromised.

When enabling "2-way SSL", both the server and agents are required to present certificates during the SSL handshake. As opposed to "1-way SSL", which uses the same SSL-secured channel as the "2-way" feature, but only the Ambari server is required to present a certificate. So the "2-way SSL" option increases the security of the connection in that the client now must be trusted before data is sent or received over that channel.

That said...

My question is, is having the private key file on all the agent nodes is riskier?

The more copies of the private key file that exist, the more chances there are that one of those copies are not secured. However, if you can ensure that the file is secure and that only those that absolute need to have access to it, have access to it; then you should be ok. However, this file must be available for the Ambari agent to use so that it may prove its identity.

Or should I just go with using, the CA-signed cert/ key only for the ambari-server side and have the agents get a auto-generated key pair and cert signed by the Ambari server?

The CA signed certs are more secure that the Ambari-generated ones since they are harder to come by. Ambari will create certs for any agent or client that looks like an agent as long as they know how to properly ask for it. I may have to do more research on why one would use "2-way SSL" where Ambari is signing the client certs, but I tend to ask my self this is useful at all.

1,231 Views
0 Kudos

avatar
author-rank anrathen
Rising Star

Created ‎06-23-2017 03:41 PM

Thank you for clarifying my questions in detail. I switched back to using ambari- server generated certificates for the 'two_way_ssl setup' for now, as the ca-signed certificate we have are SAN certificates i.e.,1 certificate with mulitple SAN for all nodes. When I tried using them, ambari server could not pick up the CA signed agent's cert, because the node name is not present the 'Subject' field of the certificate but instead in the extensions under the SAN names attribute of the certificate. Due to this scenario, I reverted to using the ambari-server signed certificates on all the nodes. Next time, we will get individual certificate for all the nodes with the name in the 'Subject' field to avoid these type of issues.

1,230 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements