Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

puppet setup of Ambari ssl

avatar
Expert Contributor

Dear Community,

Trying to implement puppet ssl setup for Ambari, but had not found any manual how to configure ssl for ambari not using "ambari-server setup-security" as specified here https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin..... I assume that only options needed to make ssl working are:

1) Keystore for ambari services:

"

ssl.trustStore.path=<path-to-keystore-file>

ssl.trustStore.type=jks

ssl.trustStore.password=<keystore-password-here>

"

2) HTTPS options:

"

client.api.ssl.port=8443

api.ssl=true

client.api.ssl.cert_name=https.crt

client.api.ssl.key_name=https.key

"

Isn`t it simpler to use nginx with ssl in front of ambari to provide https?

Just tried to make a manual setup with generating certificates and filling the needed fields in /etc/ambari-server/conf/ambari.properties, afterwards started "ambari-server setup -s", but got "ambari-server restart" failed with error about problem with certificates and truststore. Seems it makes some transformations in process of running setup.

Found out that there are some options for ambari-server setup-security option:

1) Configure https: "ambari-server setup-security --security-option=setup-https --api-ssl=true --import-cert-path=/etc/ambari-server/certs/localhost.crt --import-key-path=/etc/ambari-server/certs/localhost.key --pem-password=hadoop --api-ssl-port=8443"

2) Configure trustedstore: "ambari-server setup-security --security-option=setup-truststore --truststore-reconfigure --truststore-type=jks --truststore-password=hadoop --truststore-path=/etc/ambari-server/certs/ambari-server-truststore"

1 ACCEPTED SOLUTION

avatar
Expert Contributor

Thanks @Artem Ervit. I had finally found a way how to make it puppet-friendly.

There are two groups of parameters that should be considered. Unfortunately not all of them are described in documentation, so had to look here(https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java) and here (https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/python/ambari_server/setupSecurity.py). Also some hints can be found here https://cwiki.apache.org/confluence/display/AMBARI/Enable+HTTPS+and+LDAPS+together.

1) HTTPS itself:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=https.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

2) trusted store:

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

If the configuration is done after the ambari-server is configured, then the ambari-server should be restarted. If it is done before, then just normally run ambari-server setup.

Notes:

1) No need to change trusted store if host is using some external CA. For instance, letsencrypt. It is already supported in latest versions of java.

2) Option "client.api.ssl.crt_pass" had not been working for me, but "client.api.ssl.cert_pass_file" was ok.

3) The keystore and truststore use different formats, because keytool does not support direct creation of keystore in jks format. Only via import of jks.

I was more interested in setting puppet environment. However for setup without "ambari-server setup-security" call one can use following steps:

mkdir /etc/ambari-server/certs
cd /etc/ambari-server/certs/
export AMBARI_SERVER_HOSTNAME=localhost
export AMBARI_CERT_PASS=hadoop

----- HTTPS
openssl genrsa -passout pass:$AMBARI_CERT_PASS -out $AMBARI_SERVER_HOSTNAME.key 2048
openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr -subj "/C=IN/ST=One/L=Two/O=hwx/CN=$AMBARI_SERVER_HOSTNAME"
openssl x509 -req -days 365 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt
openssl pkcs12 -export -in $AMBARI_SERVER_HOSTNAME.crt -inkey $AMBARI_SERVER_HOSTNAME.key -certfile $AMBARI_SERVER_HOSTNAME.crt -out $AMBARI_SERVER_HOSTNAME.keystore.p12 -password pass:$AMBARI_CERT_PASS
echo "$AMBARI_CERT_PASS" > $AMBARI_SERVER_HOSTNAME.pass.txt
------ Services
keytool -trustcacerts -import -file $AMBARI_SERVER_HOSTNAME.crt -alias ambari-server -keystore $AMBARI_SERVER_HOSTNAME.truststore.jks

and add following lines in ambari.properties:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=localhost.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

View solution in original post

4 REPLIES 4

avatar
Master Mentor

I had a similar issue writing Chef recipe, what I did was the following:

Run the steps with Ambari, populate the ambari.properties so it is functional, then take that ambari.properties file and use as template in Chef and add variables where values change. I am not familiar with puppet and unaware of template concept is available but if it does that's one way. For reference, here's my example in Chef https://github.com/dbist/smartsense-chef/blob/master/templates/default/hst-agent.ini.erb

avatar
Expert Contributor

Thanks @Artem Ervit. I had finally found a way how to make it puppet-friendly.

There are two groups of parameters that should be considered. Unfortunately not all of them are described in documentation, so had to look here(https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java) and here (https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/python/ambari_server/setupSecurity.py). Also some hints can be found here https://cwiki.apache.org/confluence/display/AMBARI/Enable+HTTPS+and+LDAPS+together.

1) HTTPS itself:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=https.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

2) trusted store:

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

If the configuration is done after the ambari-server is configured, then the ambari-server should be restarted. If it is done before, then just normally run ambari-server setup.

Notes:

1) No need to change trusted store if host is using some external CA. For instance, letsencrypt. It is already supported in latest versions of java.

2) Option "client.api.ssl.crt_pass" had not been working for me, but "client.api.ssl.cert_pass_file" was ok.

3) The keystore and truststore use different formats, because keytool does not support direct creation of keystore in jks format. Only via import of jks.

I was more interested in setting puppet environment. However for setup without "ambari-server setup-security" call one can use following steps:

mkdir /etc/ambari-server/certs
cd /etc/ambari-server/certs/
export AMBARI_SERVER_HOSTNAME=localhost
export AMBARI_CERT_PASS=hadoop

----- HTTPS
openssl genrsa -passout pass:$AMBARI_CERT_PASS -out $AMBARI_SERVER_HOSTNAME.key 2048
openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr -subj "/C=IN/ST=One/L=Two/O=hwx/CN=$AMBARI_SERVER_HOSTNAME"
openssl x509 -req -days 365 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt
openssl pkcs12 -export -in $AMBARI_SERVER_HOSTNAME.crt -inkey $AMBARI_SERVER_HOSTNAME.key -certfile $AMBARI_SERVER_HOSTNAME.crt -out $AMBARI_SERVER_HOSTNAME.keystore.p12 -password pass:$AMBARI_CERT_PASS
echo "$AMBARI_CERT_PASS" > $AMBARI_SERVER_HOSTNAME.pass.txt
------ Services
keytool -trustcacerts -import -file $AMBARI_SERVER_HOSTNAME.crt -alias ambari-server -keystore $AMBARI_SERVER_HOSTNAME.truststore.jks

and add following lines in ambari.properties:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=localhost.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

avatar
Expert Contributor

Unfortunately the method does not work on ambari-server 2.4.2.0-136.

avatar
Expert Contributor

for 2.4.2.0-136 several additional parameters should be considered:

client.api.ssl.truststore_name=localhost.jks
client.api.ssl.truststore_type=jks
client.api.ssl.keys_dir=/etc/ambari-server/certs/