Member since
01-16-2019
73
Posts
5
Kudos Received
4
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1396 | 12-08-2021 06:08 AM | |
1400 | 09-23-2021 04:25 AM | |
4770 | 01-06-2021 12:45 AM | |
2318 | 03-28-2019 02:01 PM |
12-09-2021
09:27 PM
@prova Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.
... View more
09-29-2021
10:12 PM
Pre-requisites:
1. You need to have the correct passwords 2. The PrivateKey of the CA is required to sign off all the agent certificates. 3. Password for the pass.txt file will be present in clear-text format. And currently, there is no way to encrypt it.
Steps:
Back up and delete all the crt and csr files that start with hostname at /var/lib/ambari-server/keys. tar -cvzf keys_directory.tar.gz /var/lib/ambari-server/keys/*
Empty /var/lib/ambari-server/keys/db/index.txt file mv /var/lib/ambari-server/keys/db/index.txt /tmp
Delete any certificates under /var/lib/ambari-server/keys/db/newcerts/ mv /var/lib/ambari-server/keys/db/newcerts/* /tmp
Configure CA-signed certificate artifacts in Ambari Server by:
Copy the CA-signed certificate, key files to /var/lib/ambari-server/keys/ e.g. rootca.crt, root_server.key
Create PKCS keystore file from your certificate and key files. openssl pkcs12 -export -in rootca.crt -inkey /var/lib/ambari-server/keys/root_server.key -certfile rootca.crt -out keystore_CA.p12 -password pass:hadoop1120 -passin pass:hadoop1120
Create a text file with the appropriate password that has been provided for the keystore in /var/lib/ambari-server/keys directory: echo hadoop1120 > pass_CA.txt
Next, configure Ambari to use the new cert, keys, and keystore files.
Edit the /etc/ambari-server/conf/ambari.properties and set the following keys and values: security.server.cert_name=rootca.crt
security.server.key_name=root_server.key
security.server.keystore_name=keystore_CA.p12
security.server.truststore_name=keystore_CA.p12
security.server.crt_pass_file=pass_CA.txt
security.server.two_way_ssl=true
After adding the properties, clean up existing Ambari agent keys information by removing all files in the /var/lib/ambari-agent/keys/ directory on each node that has Ambari agent installed.
Note: Ambari server uses the following command to generate the certificates using the configs above. This command requires the ca.config to be present at the location. (Content of ca.config does not matter):
openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/node1.coelab.cloudera.com.csr -out /var/lib/ambari-server/keys/node1.coelab.cloudera.com.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/root_server.key -cert /var/lib/ambari-server/keys/rootca.crt
openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/node2.coelab.cloudera.com.csr -out /var/lib/ambari-server/keys/node2.coelab.cloudera.com.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/root_server.key -cert /var/lib/ambari-server/keys/rootca.crt
openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/c2218-node4.coelab.cloudera.com.csr -out /var/lib/ambari-server/keys/c2218-node4.coelab.cloudera.com.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/root_server.key -cert /var/lib/ambari-server/keys/rootca.crt
openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/hostname.cloudera.com.csr -out /var/lib/ambari-server/keys/hostname.cloudera.com.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/root_server.key -cert /var/lib/ambari-server/keys/rootca.crt
Sample logs from ambari-server.log file after implementation:
[root@node1 ambari-server]# grep "Validating agent hostname:" ambari-server.log -A3
2021-09-22 10:52:46,862 INFO [qtp-ambari-agent-222] CertificateManager:238 - Validating agent hostname: hostname.cloudera.com
2021-09-22 10:52:46,862 INFO [qtp-ambari-agent-222] CertificateManager:250 - Verifying passphrase
2021-09-22 10:52:46,891 INFO [qtp-ambari-agent-222] ShellCommandUtil:63 - Command openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/hostname.cloudera.com.csr -out /var/lib/ambari-server/keys/hostname.cloudera.com.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/rootca_PKey.key -cert /var/lib/ambari-server/keys/rootca.crt was finished with exit code: 0 - the operation was completely successfully.
2021-09-22 10:52:47,522 INFO [agent-register-processor-0] HeartBeatHandler:321 - agentOsType = centos7
--
2021-09-22 10:52:51,929 INFO [qtp-ambari-agent-222] CertificateManager:238 - Validating agent hostname: node4.coelab.cloudera.com
2021-09-22 10:52:51,929 INFO [qtp-ambari-agent-222] CertificateManager:250 - Verifying passphrase
2021-09-22 10:52:51,954 INFO [qtp-ambari-agent-222] ShellCommandUtil:63 - Command openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/hostname.coelab.cloudera.com.csr -out /var/lib/ambari-server/keys/hostname.cloudera.com.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/rootca_PKey.key -cert /var/lib/ambari-server/keys/rootca.crt was finished with exit code: 0 - the operation was completely successfully.
2021-09-22 10:52:52,450 INFO [agent-register-processor-1] HeartBeatHandler:321 - agentOsType = centos7
--
2021-09-22 10:52:53,227 INFO [qtp-ambari-agent-222] CertificateManager:238 - Validating agent hostname: hostname.coelab.cloudera.com
2021-09-22 10:52:53,227 INFO [qtp-ambari-agent-222] CertificateManager:250 - Verifying passphrase
2021-09-22 10:52:53,253 INFO [qtp-ambari-agent-222] ShellCommandUtil:63 - Command openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/hostname.cloudera.com.csr -out /var/lib/ambari-server/keys/hostname.cloudera.com.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/rootca_PKey.key -cert /var/lib/ambari-server/keys/rootca.crt was finished with exit code: 0 - the operation was completely successfully.
2021-09-22 10:52:53,683 INFO [agent-register-processor-2] HeartBeatHandler:321 - agentOsType = centos7
Sample logs after successful registration of the ambari-agent with the ambari-server from the ambari-agent.log:
INFO 2021-09-22 10:52:52,880 NetUtil.py:61 - Connecting to https://hostname.cloudera.com:8440/connection_info
INFO 2021-09-22 10:52:52,952 security.py:59 - Server require two-way SSL authentication. Use it instead of one-way...
INFO 2021-09-22 10:52:52,952 security.py:61 - Connecting to wss://hostname.cloudera.com:8441/agent/stomp/v1
INFO 2021-09-22 10:52:52,952 security.py:221 - Server certicate not exists, downloading
INFO 2021-09-22 10:52:52,953 security.py:244 - Downloading server cert from https://c2218-node1.coelab.cloudera.com:8440/cert/ca/
INFO 2021-09-22 10:52:53,019 security.py:229 - Agent key not exists, generating request
INFO 2021-09-22 10:52:53,020 security.py:301 - openssl req -new -newkey rsa -nodes -keyout "/var/lib/ambari-agent/keys/hostname.com.key" -subj /OU=hostname.cloudera.com/ -out "/var/lib/ambari-agent/keys/hostname.com.csr"
INFO 2021-09-22 10:52:53,158 security.py:237 - Agent certificate not exists, sending sign request
INFO 2021-09-22 10:52:53,349 transport.py:329 - Starting receiver loop
INFO 2021-09-22 10:52:53,352 security.py:88 - SSL connection established. Two-way SSL authentication completed successfully.
INFO 2021-09-22 10:52:53,674 HeartbeatThread.py:127 - Sending registration request
... View more
Labels:
09-28-2021
01:19 AM
Hello @Parth_Pathak , The "atlas" checkboxes were already checked. However, I was able to populate Atlas with the import-hive.sh script. Which is enough for now. Thank you,
... View more
09-23-2021
05:56 AM
Ambari version 2.6.1 So I was not adding Hbase. I was trying to add a mpack so I tried to recreate the tar.gz file and install the mpack via command line. I may have been doing things too fast and may have accidentally deleted something. Not sure. But I don't think I touched Hbase.
... View more
06-29-2021
04:40 AM
I have upgraded from 7.1.1 to 7.1.6 and "Upgrade Ranger database and apply patches" is grayed out.
... View more
09-20-2019
04:21 AM
Hello @dvillarreal, Thank you for the script files, makes life easy! Just a small edit: The proc.psql file was missing one SQL statement @line 96: delete from x_user_module_perm where user_id = x_portal_user_id; We were facing the below issue while trying the commands from psql file manually: ERROR: update or delete on table "x_portal_user" violates foreign key constraint "x_user_module_perm_fk_userid" on table "x_user_module_perm"
DETAIL: Key (id)=(19) is still referenced from table "x_user_module_perm" Because of the above blocker, the script was not deleting the users from the DB. Once we added the missing SQL statement and ran the deleteRangerUser.sh we were able to use it with successful results.
... View more