Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Where to add keystore file for mutual authentication enabled for Knox service on cluster?

Explorer

Hi, I have added Knox service to the cluster and enabled the ssl .Now I want to enable mutual auth. I have followed the steps from https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/setting_up_2-way_ssl_au.... Where I have created gateway.jks (using cd $gateway bin/knoxcli.cmd create-cert --hostname $gateway-hostname command) and given truststore file path of the same in gateway-site.xml.

Now I want to know where to provide keystore file path for client side authentication when I put "gateway.client.auth.needed = true" in gateway-site.xml file.

1 ACCEPTED SOLUTION

@Snehal S Keystore file path is already set to gateway.jks by default and you should not change this. Once you perform the configuration mentioned on the link you shared you need to import the

1. client public certificate to the knox truststore (on knox server machine)

2. the knox public certificate to the client truststore (on client server machine)

After 1 and 2 and if proper configuration was done this should work.

HTH

View solution in original post

4 REPLIES 4

@Snehal S Keystore file path is already set to gateway.jks by default and you should not change this. Once you perform the configuration mentioned on the link you shared you need to import the

1. client public certificate to the knox truststore (on knox server machine)

2. the knox public certificate to the client truststore (on client server machine)

After 1 and 2 and if proper configuration was done this should work.

HTH

@Snehal Shelgaonkar I'm glad to hear this worked for you. Please take a moment to login and click the "accept" link on the answer.

Explorer

Thank you @Felix Albani for help. Sorry for delayed response.
It saved my time and worked when I imported public certs of respective machines.

Explorer

Hi @Felix Albani,

The above issue is solved. Now we are facing strange thing, we have created a new user say snehal, created snehal@EXAMPLE.COM principal and snehal.keytab with this principal. And added "hadoop.proxyuser.snehal.groups=* , ,hadoop.proxyuser.snehal.hosts=* " properties in HDFS->config->custome-core site.

same way added property for webhcat also.

Now i am hitting > GET https://host:8443/gateway/default/webhdfs/v1/?op=GETHOMEDIRECTORY&user.name=snehal

I am getting

{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}} Non activated Name node :https://host:8443/gateway/default, Error Message: 403#@_#{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}}

Tried many ways like, adding the user snehal in supergroup, also did "kdestroy -> kinit with snehal keytab and principal" many times with different users also, Restarted ambari-server. But no luck.

Thanks,

Snehal