Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Use Internal MS active directory to sign SSL certificate for ambari

Highlighted

Use Internal MS active directory to sign SSL certificate for ambari

New Contributor

Hi all,

I'm a little of bit lost to setup SSL for ambari WebUi.

Here is my lab environment.

I have an ambari server and a MS active directory with Certificate Authority and Web enrolment service configured.

I generated ambari_fqdn.csr, ambari_fqdn.crt and ambari_fqdn.key (using openssl as described in this tuto https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin.....

Any help for the next steps will be appreciate.

6 REPLIES 6
Highlighted

Re: Use Internal MS active directory to sign SSL certificate for ambari

Super Mentor

@Yanick HOUNGBEDJI

You will need to import MS Active directory certificate to Ambari Server's truststore else while ambari server will try to fetch user details from AD you might see some SSL exception if you have not imported AD certificate to Ambari Server's truststore.

The mentioned article shows how to setup Ambari Server trust store.

Are you getting any error exception?

Highlighted

Re: Use Internal MS active directory to sign SSL certificate for ambari

New Contributor

@Jay Kumar SenSharma,

Thanks for your answer.

Before configure trustore, I though that I need to sign my certificates with MS AD. For doing this, here are my questions:

  • Do I need to sign my previous ambari_fqdn.csr file or ambari_fqdn.crt file?
  • what will be the output from MS AD (.csr or .cer or .crt file?)
  • To configure the trustore, what certificate need to be used (the new one signed by MS AD or the existing one)?
Highlighted

Re: Use Internal MS active directory to sign SSL certificate for ambari

Super Mentor

@Yanick HOUNGBEDJI

If you want to create a temporary self-signed certificate then you can refer to the following to know more about it: https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/optional_set_up_...

It also talks about the formats that are supported and should be used for the certificates.
We can configure "jks/jceks/pkcs12" type of truststore for Ambari Server. We can import .pem / .crt / .cer etc.... format of certificate without any issue. For more detailed example we can refer to:

https://community.hortonworks.com/content/supportkb/148572/failed-to-connect-to-kdc-make-sure-the-se...

Highlighted

Re: Use Internal MS active directory to sign SSL certificate for ambari

New Contributor

@Jay Kumar SenSharma,

No I don't want to use an openssl self signed certificate as describing in the link. But I would like to sign the openssl certifcate by my MS AD.

Highlighted

Re: Use Internal MS active directory to sign SSL certificate for ambari

Super Mentor

@Yanick HOUNGBEDJI

I have never tried that but i guess it should work.

Highlighted

Re: Use Internal MS active directory to sign SSL certificate for ambari

New Contributor

Finally It works, here are what I did, it could help someone else.

  1. Generate .csr and . key file (described here https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin....)
  2. Request a certificate using MS AD web enrolment service as follwing:
    1. Copy and past the the .csr content generate in step 1. The ouput is a .cer file.
    2. Change the .cer file to .csr
  3. Copy and the new .csr to ambari server
  4. Use ambari-server setup-security to configure https
Don't have an account?
Coming from Hortonworks? Activate your account here