Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Where to add keystore file for mutual authentication enabled for Knox service on cluster?

avatar
Explorer

Hi, I have added Knox service to the cluster and enabled the ssl .Now I want to enable mutual auth. I have followed the steps from https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/setting_up_2-way_ssl_au.... Where I have created gateway.jks (using cd $gateway bin/knoxcli.cmd create-cert --hostname $gateway-hostname command) and given truststore file path of the same in gateway-site.xml.

Now I want to know where to provide keystore file path for client side authentication when I put "gateway.client.auth.needed = true" in gateway-site.xml file.

1 ACCEPTED SOLUTION

avatar

@Snehal S Keystore file path is already set to gateway.jks by default and you should not change this. Once you perform the configuration mentioned on the link you shared you need to import the

1. client public certificate to the knox truststore (on knox server machine)

2. the knox public certificate to the client truststore (on client server machine)

After 1 and 2 and if proper configuration was done this should work.

HTH

View solution in original post

4 REPLIES 4

avatar

@Snehal S Keystore file path is already set to gateway.jks by default and you should not change this. Once you perform the configuration mentioned on the link you shared you need to import the

1. client public certificate to the knox truststore (on knox server machine)

2. the knox public certificate to the client truststore (on client server machine)

After 1 and 2 and if proper configuration was done this should work.

HTH

avatar

@Snehal Shelgaonkar I'm glad to hear this worked for you. Please take a moment to login and click the "accept" link on the answer.

avatar
Explorer

Thank you @Felix Albani for help. Sorry for delayed response.
It saved my time and worked when I imported public certs of respective machines.

avatar
Explorer

Hi @Felix Albani,

The above issue is solved. Now we are facing strange thing, we have created a new user say snehal, created snehal@EXAMPLE.COM principal and snehal.keytab with this principal. And added "hadoop.proxyuser.snehal.groups=* , ,hadoop.proxyuser.snehal.hosts=* " properties in HDFS->config->custome-core site.

same way added property for webhcat also.

Now i am hitting > GET https://host:8443/gateway/default/webhdfs/v1/?op=GETHOMEDIRECTORY&user.name=snehal

I am getting

{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}} Non activated Name node :https://host:8443/gateway/default, Error Message: 403#@_#{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=snehal != expected=knox"}}

Tried many ways like, adding the user snehal in supergroup, also did "kdestroy -> kinit with snehal keytab and principal" many times with different users also, Restarted ambari-server. But no luck.

Thanks,

Snehal