I have installed basic ranger via ambari on HDP2.2.6(ORACLE AS METADATA)
Installed fine.But I can not open Ranger UI-fails with username password not valid for admin/admin.
When I see catalina.out? ,below error:
INFO: Initializing ProtocolHandler ["http-bio-6182"] Oct 04, 2016 3:20:28 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore SEVERE: Failed to load keystore type JKS with path /etc/ranger/admin/keys/server.jks due to /etc/ranger/admin/keys/server.jks (No such file or directory) java.io.FileNotFoundException: /etc/ranger/admin/keys/server.jks (No such file or directory)
Am stuck on this.No luck.Please suggest.Tried updating directory with 777 but no luck.
I am using ambari 2.2 with secureed HDP2.2.6
I need to set up knox n Ranger with AD and facing issues with it.
Do I need to perform certain steps to enable SSL to generate jks keys?(*#ranger)
Second for Knox (I have two VM's with basic configuration on load balancer),I see there are two ways to do :
a)Add these VM's as new host via ambari and install knox
b)Manually Install without adding host .
Which method is recommended for Production set up?
I am trying both ways on lab clusters I have ,but stuck on below:
Knox works ok for NON AD/ldap set up.But when I try to give AD configs
I get below exception:
root@insionft01 keystores]# curl -i -u guest:guest-password "https://insionft01.corp.amdocs.com:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS"
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Is it something I need to request windows team for :below or I can self generate on my own for Production set up?
1.Your LDAP or AD Digital Certificate: <ldap>.crt
2.The company's Digital CA Cert: <company_ca>.crt
3.The certificate/ key pair for the gateway node: <gateway_node>.crt and <gateway_node>.pem
4.The passphrase for the above gateway node key.
Any best practice document for knox,ranger with AD will be of great help.
I tested on Lan and imported certificate in cluster for knox as below:
openssl.exe pkcs12 -in insi.pfx -nocerts -out P1.pem
openssl.exe rsa -in P1.pem -out private.pem
openssl.exe pkcs12 -in insi.pfx -clcerts -nokeys -out RCert.pem
[root@insionft01 cert]# openssl pkcs12 -in insi.pfx -nocerts -out P1.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[root@insionft01 cert]# keytool -importcert -trustcacerts -file insionft01.cer -storepass changeit -noprompt -alias MyLdapCert -keystore /usr/java/jdk1.8.0_74/jre/lib/security/cacerts
Certificate was added to keystore
But still we face same ) Peer certificate cannot be authenticated with known CA certificates error
Any best practice document made will help as probably I must be missing certain configs or some steps in LDAP/AD.