Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

What do all of the Zeppelin SSL settings mean and how do I configure them to work properly?

Labels:
SteveBWA
New Contributor

Created ‎01-18-2019 12:47 AM

I am trying to understand how to configure the SSL settings for Zeppelin so that it works with HTTPS.

I have a certificate for the server domain from Let's Encrypt, so I was expecting a setting for the path to the pem file. However, that is not what zeppelin uses and I do not understand the different settings. I am currently using Ambari 2.6.2.0. I tried looking at some guides online, but I do not understand them and could not get things to work.

Do the zeppelin.server.port and zeppelin.server.ssl.port settings need to be different or will it still work if they are the same?

What is zeppelin.ssl.client.auth for?

Where is the zeppelin.ssl.key.manager.password supposed to come from? Which Key Manager is this referring to?

Where is the zeppelin.ssl.keystore.password supposed to come from? What is a keystore?

Where is the zeppelin.ssl.truststore.password supposed to come from? What is a truststore?

Is there some reference that I can look at that explains all of these things? Any assistance is greatly appreciated.

Thank you very much.

1,127 Views
0 Kudos
2 REPLIES 2

Shelton
Mentor

Created ‎01-18-2019 08:37 PM

@Steve Vest

Main difference between trustStore vs keyStore is that trustStore (as name suggest) is used to store certificates from trusted Certificate authorities(CA) which are used to verify certificate presented by Server in SSL Connection while keystore is used to store private key and own identity certificate which program should present to other parties (Server or client) to verify its identity. That was one-liner difference between trustStore vs keyStore in Java but no doubt these two terms are quite a confusion not just for anyone who is the first time doing SSL connection in Java but also many intermediate and senior developers.

You will have to use the keytool to convert CA certificate to the JKS (java key store )format which is readable by Zeppelin,Here is an example of using a self-signed certificate configure_zeppelin_ssl

It could look like this

Get this signed with CA authority and import the certificate you received.

# keytool -import -file zeppelin.crt -keystore zeppelin-keystore.jks

Import the trusted CA certificate in your truststore zeppeline-truststore.jks

#keytool -import -file ca.crt -keystore zeppelin-truststore.jks

In Ambari go to Zeppelin ---> Config ---> Advance make the following below changes assuming you used hadoop as password when creating the trust/key stores

Zeppelin.ssl = true
Zeppelin.ssl.client.auth = false
Zeppelin.ssl.key.manager.password = hadoop
Zeppelin.ssl.keystore.password = hadoop
Zeppelin.ssl.keystore.path = /etc/zeppelin/conf/zeppelin-keystore.jks
Zeppelin.ssl.keystore.type = JKS
Zeppelin.ssl.truststore.password = hadoop 
Zeppelin.ssl.truststore.path =  /etc/zeppelin/conf/zeppelin-truststore.jks
Zeppelin.ssl.truststore.type = JKS
Step6 : Restart the zeppelin Service and access this over https <zeppelin_host>:9995


Configure a key manager and key store settings with the correct values for your system:

Set zeppelin.ssl.key.manager.password to the password associated with the key manager.
Set zeppelin.ssl.keystore.password to the password associated with the key store.
Set zeppelin.ssl.keystore.path to the path associated with the key store.
Set zeppelin.ssl.keystore.type to the type of key store configured on the cluster (for example, JKS).

If you wish to use client-side certificate authentication, enable client-side authentication and configure the associated trust store settings:

Set zeppelin.ssl.cient.auth to true
Set zeppelin.ssl.truststore.path to the path associated with your trust store.
Set zeppelin.ssl.truststore.password to the password associated with your trust store.
Set zeppelin.ssl.truststore.type to the type of trust store configured on the cluster (for example, JKS).

Check to make sure that all settings are valid.


HTH

1,005 Views
0 Kudos

SteveBWA
New Contributor

Created ‎01-19-2019 03:22 AM

@Geoffrey Shelton Okot

Thanks for your response, but I am still very confused.

I tried creating a keystore from the Let's Encrypt PEM file:

sudo keytool -import -file /etc/letsencrypt/live/mydomain.com/fullchain.pem -alias mydomain -keystore mydomain-keystore.jks

And assigned a password to it: PASSWORD

I then set:

zeppelin.ssl = true
zeppelin.ssl.key.manager.password = PASSWORD (I didn't know what to put here?!?)
zeppelin.ssl.keystore.password = PASSWORD
zeppelin.ssl.keystore.path = /etc/ssl/mydomain-keystore.jks


I left the other ssl settings as the default values, but the Zeppelin webpage was no longer accessible.

I turned zeppelin.ssl = false in order to get it working again.

In the zeppelin log, I couldn't find any abnormal messages indicating why the SSL settings are not working. If the keystore.path is wrong, I can see an error for that, but after fixing the path and permissions, Zeppelin still won't work properly.

So I really don't know what to do.

1,005 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements