Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Where to add keystore file for mutual authentication enabled for Knox service on cluster?

SOLVED Go to solution
Highlighted

Where to add keystore file for mutual authentication enabled for Knox service on cluster?

New Contributor

Hi, I have added Knox service to the cluster and enabled the ssl .Now I want to enable mutual auth. I have followed the steps from https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/setting_up_2-way_ssl_au.... Where I have created gateway.jks (using cd $gateway bin/knoxcli.cmd create-cert --hostname $gateway-hostname command) and given truststore file path of the same in gateway-site.xml.

Now I want to know where to provide keystore file path for client side authentication when I put "gateway.client.auth.needed = true" in gateway-site.xml file.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

@Snehal S Keystore file path is already set to gateway.jks by default and you should not change this. Once you perform the configuration mentioned on the link you shared you need to import the

1. client public certificate to the knox truststore (on knox server machine)

2. the knox public certificate to the client truststore (on client server machine)

After 1 and 2 and if proper configuration was done this should work.

HTH

4 REPLIES 4

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

@Snehal S Keystore file path is already set to gateway.jks by default and you should not change this. Once you perform the configuration mentioned on the link you shared you need to import the

1. client public certificate to the knox truststore (on knox server machine)

2. the knox public certificate to the client truststore (on client server machine)

After 1 and 2 and if proper configuration was done this should work.

HTH

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

@Snehal Shelgaonkar I'm glad to hear this worked for you. Please take a moment to login and click the "accept" link on the answer.

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

New Contributor

Thank you @Felix Albani for help. Sorry for delayed response.
It saved my time and worked when I imported public certs of respective machines.

Re: Where to add keystore file for mutual authentication enabled for Knox service on cluster?

New Contributor

Hi @Felix Albani,

The above issue is solved. Now we are facing strange thing, we have created a new user say snehal, created snehal@EXAMPLE.COM principal and snehal.keytab with this principal. And added "hadoop.proxyuser.snehal.groups=* , ,hadoop.proxyuser.snehal.hosts=* " properties in HDFS->config->custome-core site.

same way added property for webhcat also.

Now i am hitting > GET https://host:8443/gateway/default/webhdfs/v1/?op=GETHOMEDIRECTORY&user.name=snehal

I am getting

{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}} Non activated Name node :https://host:8443/gateway/default, Error Message: 403#@_#{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}}

Tried many ways like, adding the user snehal in supergroup, also did "kdestroy -> kinit with snehal keytab and principal" many times with different users also, Restarted ambari-server. But no luck.

Thanks,

Snehal