Support Questions

Find answers, ask questions, and share your expertise

What do all of the Zeppelin SSL settings mean and how do I configure them to work properly?

New Contributor

I am trying to understand how to configure the SSL settings for Zeppelin so that it works with HTTPS.

I have a certificate for the server domain from Let's Encrypt, so I was expecting a setting for the path to the pem file. However, that is not what zeppelin uses and I do not understand the different settings. I am currently using Ambari I tried looking at some guides online, but I do not understand them and could not get things to work.

Do the zeppelin.server.port and zeppelin.server.ssl.port settings need to be different or will it still work if they are the same?

What is zeppelin.ssl.client.auth for?

Where is the zeppelin.ssl.key.manager.password supposed to come from? Which Key Manager is this referring to?

Where is the zeppelin.ssl.keystore.password supposed to come from? What is a keystore?

Where is the zeppelin.ssl.truststore.password supposed to come from? What is a truststore?

Is there some reference that I can look at that explains all of these things? Any assistance is greatly appreciated.

Thank you very much.



@Steve Vest

Main difference between trustStore vs keyStore is that trustStore (as name suggest) is used to store certificates from trusted Certificate authorities(CA) which are used to verify certificate presented by Server in SSL Connection while keystore is used to store private key and own identity certificate which program should present to other parties (Server or client) to verify its identity. That was one-liner difference between trustStore vs keyStore in Java but no doubt these two terms are quite a confusion not just for anyone who is the first time doing SSL connection in Java but also many intermediate and senior developers.

You will have to use the keytool to convert CA certificate to the JKS (java key store )format which is readable by Zeppelin,Here is an example of using a self-signed certificate configure_zeppelin_ssl

It could look like this

Get this signed with CA authority and import the certificate you received.

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Import the trusted CA certificate in your truststore zeppeline-truststore.jks

#keytool -import -file ca.crt -keystore zeppelin-truststore.jks

In Ambari go to Zeppelin ---> Config ---> Advance make the following below changes assuming you used hadoop as password when creating the trust/key stores

Zeppelin.ssl = true
Zeppelin.ssl.client.auth = false
Zeppelin.ssl.key.manager.password = hadoop
Zeppelin.ssl.keystore.password = hadoop
Zeppelin.ssl.keystore.path = /etc/zeppelin/conf/zeppelin-keystore.jks
Zeppelin.ssl.keystore.type = JKS
Zeppelin.ssl.truststore.password = hadoop 
Zeppelin.ssl.truststore.path =  /etc/zeppelin/conf/zeppelin-truststore.jks
Zeppelin.ssl.truststore.type = JKS
Step6 : Restart the zeppelin Service and access this over https <zeppelin_host>:9995

Configure a key manager and key store settings with the correct values for your system:

Set zeppelin.ssl.key.manager.password to the password associated with the key manager.
Set zeppelin.ssl.keystore.password to the password associated with the key store.
Set zeppelin.ssl.keystore.path to the path associated with the key store.
Set zeppelin.ssl.keystore.type to the type of key store configured on the cluster (for example, JKS).

If you wish to use client-side certificate authentication, enable client-side authentication and configure the associated trust store settings:

Set zeppelin.ssl.cient.auth to true
Set zeppelin.ssl.truststore.path to the path associated with your trust store.
Set zeppelin.ssl.truststore.password to the password associated with your trust store.
Set zeppelin.ssl.truststore.type to the type of trust store configured on the cluster (for example, JKS).

Check to make sure that all settings are valid.


New Contributor

@Geoffrey Shelton Okot

Thanks for your response, but I am still very confused.

I tried creating a keystore from the Let's Encrypt PEM file:

sudo keytool -import -file /etc/letsencrypt/live/ -alias mydomain -keystore mydomain-keystore.jks

And assigned a password to it: PASSWORD

I then set:

zeppelin.ssl = true
zeppelin.ssl.key.manager.password = PASSWORD (I didn't know what to put here?!?)
zeppelin.ssl.keystore.password = PASSWORD
zeppelin.ssl.keystore.path = /etc/ssl/mydomain-keystore.jks

I left the other ssl settings as the default values, but the Zeppelin webpage was no longer accessible.

I turned zeppelin.ssl = false in order to get it working again.

In the zeppelin log, I couldn't find any abnormal messages indicating why the SSL settings are not working. If the keystore.path is wrong, I can see an error for that, but after fixing the path and permissions, Zeppelin still won't work properly.

So I really don't know what to do.