I am trying to understand how to configure the SSL settings for Zeppelin so that it works with HTTPS.
I have a certificate for the server domain from Let's Encrypt, so I was expecting a setting for the path to the pem file. However, that is not what zeppelin uses and I do not understand the different settings. I am currently using Ambari 18.104.22.168. I tried looking at some guides online, but I do not understand them and could not get things to work.
Do the zeppelin.server.port and zeppelin.server.ssl.port settings need to be different or will it still work if they are the same?
What is zeppelin.ssl.client.auth for?
Where is the zeppelin.ssl.key.manager.password supposed to come from? Which Key Manager is this referring to?
Where is the zeppelin.ssl.keystore.password supposed to come from? What is a keystore?
Where is the zeppelin.ssl.truststore.password supposed to come from? What is a truststore?
Is there some reference that I can look at that explains all of these things? Any assistance is greatly appreciated.
Thank you very much.
Main difference between trustStore vs keyStore is that trustStore (as name suggest) is used to store certificates from trusted Certificate authorities(CA) which are used to verify certificate presented by Server in SSL Connection while keystore is used to store private key and own identity certificate which program should present to other parties (Server or client) to verify its identity. That was one-liner difference between trustStore vs keyStore in Java but no doubt these two terms are quite a confusion not just for anyone who is the first time doing SSL connection in Java but also many intermediate and senior developers.
You will have to use the keytool to convert CA certificate to the JKS (java key store )format which is readable by Zeppelin,Here is an example of using a self-signed certificate configure_zeppelin_ssl
It could look like this
Get this signed with CA authority and import the certificate you received.
# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks
Import the trusted CA certificate in your truststore zeppeline-truststore.jks
#keytool -import -file ca.crt -keystore zeppelin-truststore.jks
In Ambari go to Zeppelin ---> Config ---> Advance make the following below changes assuming you used hadoop as password when creating the trust/key stores
Zeppelin.ssl = true Zeppelin.ssl.client.auth = false Zeppelin.ssl.key.manager.password = hadoop Zeppelin.ssl.keystore.password = hadoop Zeppelin.ssl.keystore.path = /etc/zeppelin/conf/zeppelin-keystore.jks Zeppelin.ssl.keystore.type = JKS Zeppelin.ssl.truststore.password = hadoop Zeppelin.ssl.truststore.path = /etc/zeppelin/conf/zeppelin-truststore.jks Zeppelin.ssl.truststore.type = JKS Step6 : Restart the zeppelin Service and access this over https <zeppelin_host>:9995
Configure a key manager and key store settings with the correct values for your system:
Set zeppelin.ssl.key.manager.password to the password associated with the key manager. Set zeppelin.ssl.keystore.password to the password associated with the key store. Set zeppelin.ssl.keystore.path to the path associated with the key store. Set zeppelin.ssl.keystore.type to the type of key store configured on the cluster (for example, JKS).
If you wish to use client-side certificate authentication, enable client-side authentication and configure the associated trust store settings:
Set zeppelin.ssl.cient.auth to true Set zeppelin.ssl.truststore.path to the path associated with your trust store. Set zeppelin.ssl.truststore.password to the password associated with your trust store. Set zeppelin.ssl.truststore.type to the type of trust store configured on the cluster (for example, JKS).
Check to make sure that all settings are valid.
Thanks for your response, but I am still very confused.
I tried creating a keystore from the Let's Encrypt PEM file:
sudo keytool -import -file /etc/letsencrypt/live/mydomain.com/fullchain.pem -alias mydomain -keystore mydomain-keystore.jks
And assigned a password to it: PASSWORD
I then set:
zeppelin.ssl = true zeppelin.ssl.key.manager.password = PASSWORD (I didn't know what to put here?!?) zeppelin.ssl.keystore.password = PASSWORD zeppelin.ssl.keystore.path = /etc/ssl/mydomain-keystore.jks
I left the other ssl settings as the default values, but the Zeppelin webpage was no longer accessible.
I turned zeppelin.ssl = false in order to get it working again.
In the zeppelin log, I couldn't find any abnormal messages indicating why the SSL settings are not working. If the keystore.path is wrong, I can see an error for that, but after fixing the path and permissions, Zeppelin still won't work properly.
So I really don't know what to do.