Support Questions

vladislav_falfu · ‎02-15-2017

Dear Community,

Trying to implement puppet ssl setup for Ambari, but had not found any manual how to configure ssl for ambari not using "ambari-server setup-security" as specified here https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin..... I assume that only options needed to make ssl working are:

1) Keystore for ambari services:

"

ssl.trustStore.path=<path-to-keystore-file>

ssl.trustStore.type=jks

ssl.trustStore.password=<keystore-password-here>

"

2) HTTPS options:

"

client.api.ssl.port=8443

api.ssl=true

client.api.ssl.cert_name=https.crt

client.api.ssl.key_name=https.key

"

Isn`t it simpler to use nginx with ssl in front of ambari to provide https?

Just tried to make a manual setup with generating certificates and filling the needed fields in /etc/ambari-server/conf/ambari.properties, afterwards started "ambari-server setup -s", but got "ambari-server restart" failed with error about problem with certificates and truststore. Seems it makes some transformations in process of running setup.

Found out that there are some options for ambari-server setup-security option:

1) Configure https: "ambari-server setup-security --security-option=setup-https --api-ssl=true --import-cert-path=/etc/ambari-server/certs/localhost.crt --import-key-path=/etc/ambari-server/certs/localhost.key --pem-password=hadoop --api-ssl-port=8443"

2) Configure trustedstore: "ambari-server setup-security --security-option=setup-truststore --truststore-reconfigure --truststore-type=jks --truststore-password=hadoop --truststore-path=/etc/ambari-server/certs/ambari-server-truststore"

vladislav_falfu · ‎02-16-2017

Thanks @Artem Ervit. I had finally found a way how to make it puppet-friendly.

There are two groups of parameters that should be considered. Unfortunately not all of them are described in documentation, so had to look here(https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java) and here (https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/python/ambari_server/setupSecurity.py). Also some hints can be found here https://cwiki.apache.org/confluence/display/AMBARI/Enable+HTTPS+and+LDAPS+together.

1) HTTPS itself:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=https.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

2) trusted store:

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

If the configuration is done after the ambari-server is configured, then the ambari-server should be restarted. If it is done before, then just normally run ambari-server setup.

Notes:

1) No need to change trusted store if host is using some external CA. For instance, letsencrypt. It is already supported in latest versions of java.

2) Option "client.api.ssl.crt_pass" had not been working for me, but "client.api.ssl.cert_pass_file" was ok.

3) The keystore and truststore use different formats, because keytool does not support direct creation of keystore in jks format. Only via import of jks.

I was more interested in setting puppet environment. However for setup without "ambari-server setup-security" call one can use following steps:

mkdir /etc/ambari-server/certs
cd /etc/ambari-server/certs/
export AMBARI_SERVER_HOSTNAME=localhost
export AMBARI_CERT_PASS=hadoop

----- HTTPS
openssl genrsa -passout pass:$AMBARI_CERT_PASS -out $AMBARI_SERVER_HOSTNAME.key 2048
openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr -subj "/C=IN/ST=One/L=Two/O=hwx/CN=$AMBARI_SERVER_HOSTNAME"
openssl x509 -req -days 365 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt
openssl pkcs12 -export -in $AMBARI_SERVER_HOSTNAME.crt -inkey $AMBARI_SERVER_HOSTNAME.key -certfile $AMBARI_SERVER_HOSTNAME.crt -out $AMBARI_SERVER_HOSTNAME.keystore.p12 -password pass:$AMBARI_CERT_PASS
echo "$AMBARI_CERT_PASS" > $AMBARI_SERVER_HOSTNAME.pass.txt
------ Services
keytool -trustcacerts -import -file $AMBARI_SERVER_HOSTNAME.crt -alias ambari-server -keystore $AMBARI_SERVER_HOSTNAME.truststore.jks

and add following lines in ambari.properties:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=localhost.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

View solution in original post

aervits · ‎02-15-2017

I had a similar issue writing Chef recipe, what I did was the following:

Run the steps with Ambari, populate the ambari.properties so it is functional, then take that ambari.properties file and use as template in Chef and add variables where values change. I am not familiar with puppet and unaware of template concept is available but if it does that's one way. For reference, here's my example in Chef https://github.com/dbist/smartsense-chef/blob/master/templates/default/hst-agent.ini.erb

vladislav_falfu · ‎02-16-2017

Thanks @Artem Ervit. I had finally found a way how to make it puppet-friendly.

There are two groups of parameters that should be considered. Unfortunately not all of them are described in documentation, so had to look here(https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java) and here (https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/python/ambari_server/setupSecurity.py). Also some hints can be found here https://cwiki.apache.org/confluence/display/AMBARI/Enable+HTTPS+and+LDAPS+together.

1) HTTPS itself:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=https.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

2) trusted store:

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

If the configuration is done after the ambari-server is configured, then the ambari-server should be restarted. If it is done before, then just normally run ambari-server setup.

Notes:

1) No need to change trusted store if host is using some external CA. For instance, letsencrypt. It is already supported in latest versions of java.

2) Option "client.api.ssl.crt_pass" had not been working for me, but "client.api.ssl.cert_pass_file" was ok.

3) The keystore and truststore use different formats, because keytool does not support direct creation of keystore in jks format. Only via import of jks.

I was more interested in setting puppet environment. However for setup without "ambari-server setup-security" call one can use following steps:

mkdir /etc/ambari-server/certs
cd /etc/ambari-server/certs/
export AMBARI_SERVER_HOSTNAME=localhost
export AMBARI_CERT_PASS=hadoop

----- HTTPS
openssl genrsa -passout pass:$AMBARI_CERT_PASS -out $AMBARI_SERVER_HOSTNAME.key 2048
openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr -subj "/C=IN/ST=One/L=Two/O=hwx/CN=$AMBARI_SERVER_HOSTNAME"
openssl x509 -req -days 365 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt
openssl pkcs12 -export -in $AMBARI_SERVER_HOSTNAME.crt -inkey $AMBARI_SERVER_HOSTNAME.key -certfile $AMBARI_SERVER_HOSTNAME.crt -out $AMBARI_SERVER_HOSTNAME.keystore.p12 -password pass:$AMBARI_CERT_PASS
echo "$AMBARI_CERT_PASS" > $AMBARI_SERVER_HOSTNAME.pass.txt
------ Services
keytool -trustcacerts -import -file $AMBARI_SERVER_HOSTNAME.crt -alias ambari-server -keystore $AMBARI_SERVER_HOSTNAME.truststore.jks

and add following lines in ambari.properties:

api.ssl=true
client.api.ssl.cert_name=localhost.crt
client.api.ssl.key_name=localhost.key
client.api.ssl.port=8443
client.api.ssl.keystore_name=localhost.keystore.p12
client.api.ssl.keystore_type=pkcs12
client.api.ssl.crt_pass=hadoop
client.api.ssl.cert_pass_file=localhost.pass.txt

security.server.keys_dir=/etc/ambari-server/certs/

ssl.trustStore.password=hadoop
ssl.trustStore.path=/etc/ambari-server/certs/localhost.truststore.jks
ssl.trustStore.type=jks

vladislav_falfu · ‎02-21-2017

Unfortunately the method does not work on ambari-server 2.4.2.0-136.

vladislav_falfu · ‎02-21-2017

for 2.4.2.0-136 several additional parameters should be considered:

client.api.ssl.truststore_name=localhost.jks
client.api.ssl.truststore_type=jks
client.api.ssl.keys_dir=/etc/ambari-server/certs/

Cloudera Community

Support Questions

puppet setup of Ambari ssl