Created 02-15-2017 02:41 PM
Dear Community,
Trying to implement puppet ssl setup for Ambari, but had not found any manual how to configure ssl for ambari not using "ambari-server setup-security" as specified here https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin..... I assume that only options needed to make ssl working are:
1) Keystore for ambari services:
"
ssl.trustStore.path=<path-to-keystore-file>
ssl.trustStore.type=jks
ssl.trustStore.password=<keystore-password-here>
"
2) HTTPS options:
"
client.api.ssl.port=8443
api.ssl=true
client.api.ssl.cert_name=https.crt
client.api.ssl.key_name=https.key
"
Isn`t it simpler to use nginx with ssl in front of ambari to provide https?
Just tried to make a manual setup with generating certificates and filling the needed fields in /etc/ambari-server/conf/ambari.properties, afterwards started "ambari-server setup -s", but got "ambari-server restart" failed with error about problem with certificates and truststore. Seems it makes some transformations in process of running setup.
Found out that there are some options for ambari-server setup-security option:
1) Configure https: "ambari-server setup-security --security-option=setup-https --api-ssl=true --import-cert-path=/etc/ambari-server/certs/localhost.crt --import-key-path=/etc/ambari-server/certs/localhost.key --pem-password=hadoop --api-ssl-port=8443"
2) Configure trustedstore: "ambari-server setup-security --security-option=setup-truststore --truststore-reconfigure --truststore-type=jks --truststore-password=hadoop --truststore-path=/etc/ambari-server/certs/ambari-server-truststore"
Created 02-16-2017 12:40 PM
Thanks @Artem Ervit. I had finally found a way how to make it puppet-friendly.
There are two groups of parameters that should be considered. Unfortunately not all of them are described in documentation, so had to look here(https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java) and here (https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/python/ambari_server/setupSecurity.py). Also some hints can be found here https://cwiki.apache.org/confluence/display/AMBARI/Enable+HTTPS+and+LDAPS+together.
1) HTTPS itself:
api.ssl=true client.api.ssl.cert_name=localhost.crt client.api.ssl.key_name=localhost.key client.api.ssl.port=8443 client.api.ssl.keystore_name=https.keystore.p12 client.api.ssl.keystore_type=pkcs12 client.api.ssl.crt_pass=hadoop client.api.ssl.cert_pass_file=localhost.pass.txt security.server.keys_dir=/etc/ambari-server/certs/
2) trusted store:
ssl.trustStore.password=hadoop ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks ssl.trustStore.type=jks
If the configuration is done after the ambari-server is configured, then the ambari-server should be restarted. If it is done before, then just normally run ambari-server setup.
Notes:
1) No need to change trusted store if host is using some external CA. For instance, letsencrypt. It is already supported in latest versions of java.
2) Option "client.api.ssl.crt_pass" had not been working for me, but "client.api.ssl.cert_pass_file" was ok.
3) The keystore and truststore use different formats, because keytool does not support direct creation of keystore in jks format. Only via import of jks.
I was more interested in setting puppet environment. However for setup without "ambari-server setup-security" call one can use following steps:
mkdir /etc/ambari-server/certs cd /etc/ambari-server/certs/ export AMBARI_SERVER_HOSTNAME=localhost export AMBARI_CERT_PASS=hadoop ----- HTTPS openssl genrsa -passout pass:$AMBARI_CERT_PASS -out $AMBARI_SERVER_HOSTNAME.key 2048 openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr -subj "/C=IN/ST=One/L=Two/O=hwx/CN=$AMBARI_SERVER_HOSTNAME" openssl x509 -req -days 365 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt openssl pkcs12 -export -in $AMBARI_SERVER_HOSTNAME.crt -inkey $AMBARI_SERVER_HOSTNAME.key -certfile $AMBARI_SERVER_HOSTNAME.crt -out $AMBARI_SERVER_HOSTNAME.keystore.p12 -password pass:$AMBARI_CERT_PASS echo "$AMBARI_CERT_PASS" > $AMBARI_SERVER_HOSTNAME.pass.txt ------ Services keytool -trustcacerts -import -file $AMBARI_SERVER_HOSTNAME.crt -alias ambari-server -keystore $AMBARI_SERVER_HOSTNAME.truststore.jks
and add following lines in ambari.properties:
api.ssl=true client.api.ssl.cert_name=localhost.crt client.api.ssl.key_name=localhost.key client.api.ssl.port=8443 client.api.ssl.keystore_name=localhost.keystore.p12 client.api.ssl.keystore_type=pkcs12 client.api.ssl.crt_pass=hadoop client.api.ssl.cert_pass_file=localhost.pass.txt security.server.keys_dir=/etc/ambari-server/certs/ ssl.trustStore.password=hadoop ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks ssl.trustStore.type=jks
Created 02-15-2017 11:22 PM
I had a similar issue writing Chef recipe, what I did was the following:
Run the steps with Ambari, populate the ambari.properties so it is functional, then take that ambari.properties file and use as template in Chef and add variables where values change. I am not familiar with puppet and unaware of template concept is available but if it does that's one way. For reference, here's my example in Chef https://github.com/dbist/smartsense-chef/blob/master/templates/default/hst-agent.ini.erb
Created 02-16-2017 12:40 PM
Thanks @Artem Ervit. I had finally found a way how to make it puppet-friendly.
There are two groups of parameters that should be considered. Unfortunately not all of them are described in documentation, so had to look here(https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java) and here (https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/python/ambari_server/setupSecurity.py). Also some hints can be found here https://cwiki.apache.org/confluence/display/AMBARI/Enable+HTTPS+and+LDAPS+together.
1) HTTPS itself:
api.ssl=true client.api.ssl.cert_name=localhost.crt client.api.ssl.key_name=localhost.key client.api.ssl.port=8443 client.api.ssl.keystore_name=https.keystore.p12 client.api.ssl.keystore_type=pkcs12 client.api.ssl.crt_pass=hadoop client.api.ssl.cert_pass_file=localhost.pass.txt security.server.keys_dir=/etc/ambari-server/certs/
2) trusted store:
ssl.trustStore.password=hadoop ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks ssl.trustStore.type=jks
If the configuration is done after the ambari-server is configured, then the ambari-server should be restarted. If it is done before, then just normally run ambari-server setup.
Notes:
1) No need to change trusted store if host is using some external CA. For instance, letsencrypt. It is already supported in latest versions of java.
2) Option "client.api.ssl.crt_pass" had not been working for me, but "client.api.ssl.cert_pass_file" was ok.
3) The keystore and truststore use different formats, because keytool does not support direct creation of keystore in jks format. Only via import of jks.
I was more interested in setting puppet environment. However for setup without "ambari-server setup-security" call one can use following steps:
mkdir /etc/ambari-server/certs cd /etc/ambari-server/certs/ export AMBARI_SERVER_HOSTNAME=localhost export AMBARI_CERT_PASS=hadoop ----- HTTPS openssl genrsa -passout pass:$AMBARI_CERT_PASS -out $AMBARI_SERVER_HOSTNAME.key 2048 openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr -subj "/C=IN/ST=One/L=Two/O=hwx/CN=$AMBARI_SERVER_HOSTNAME" openssl x509 -req -days 365 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt openssl pkcs12 -export -in $AMBARI_SERVER_HOSTNAME.crt -inkey $AMBARI_SERVER_HOSTNAME.key -certfile $AMBARI_SERVER_HOSTNAME.crt -out $AMBARI_SERVER_HOSTNAME.keystore.p12 -password pass:$AMBARI_CERT_PASS echo "$AMBARI_CERT_PASS" > $AMBARI_SERVER_HOSTNAME.pass.txt ------ Services keytool -trustcacerts -import -file $AMBARI_SERVER_HOSTNAME.crt -alias ambari-server -keystore $AMBARI_SERVER_HOSTNAME.truststore.jks
and add following lines in ambari.properties:
api.ssl=true client.api.ssl.cert_name=localhost.crt client.api.ssl.key_name=localhost.key client.api.ssl.port=8443 client.api.ssl.keystore_name=localhost.keystore.p12 client.api.ssl.keystore_type=pkcs12 client.api.ssl.crt_pass=hadoop client.api.ssl.cert_pass_file=localhost.pass.txt security.server.keys_dir=/etc/ambari-server/certs/ ssl.trustStore.password=hadoop ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks ssl.trustStore.type=jks
Created 02-21-2017 12:33 PM
Unfortunately the method does not work on ambari-server 2.4.2.0-136.
Created 02-21-2017 03:00 PM
for 2.4.2.0-136 several additional parameters should be considered:
client.api.ssl.truststore_name=localhost.jks client.api.ssl.truststore_type=jks client.api.ssl.keys_dir=/etc/ambari-server/certs/