Member since
09-28-2015
14
Posts
28
Kudos Received
0
Solutions
10-11-2017
06:43 PM
You can do "keytool -list -v -keystore corp_cert_chain.pfx -keystoretype PKCS12". It would list the alias name. Basically, we are renaming the alias in the corp certificate to "gateway-identity"
... View more
09-26-2017
03:39 PM
2 Kudos
You can setup encryption for the passwords stored in the Ambari properties file by running: On the Ambari server host, ambari-server setup-security This creates two files under /var/lib/ambari-server/keys, 1. credentials.jceks
2. master This article explains how to change the alias passwords stored in credentials.jceks without resetting encryption. Step 1: Take a backup of existing files cd /var/lib/ambari-server/keys
cp master master.old
cp credentials.jceks credentials.old.jceks If your cluster has JDK 1.8.xx installed, follow the below procedure: <JDK_HOME>/bin/keytool -list -v -keystore credentials.jceks -storetype JCEKS
Enter keystore password:
<JDK_HOME>/bin/keytool -delete -alias ambari.ldap.manager.password -keystore credentials.jceks -storetype JCEKS
Enter keystore password:
<JDK_HOME>/bin/keytool -importpass -alias ambari.ldap.manager.password -keystore credentials.jceks -storetype JCEKS
Enter keystore password:
Enter the password to be stored:
Re-enter password:
Enter key password for <ambari.ldap.manager.password>
(RETURN if same as keystore password): ----> Hit enter
/apps/jdk1.8.0_121/bin/keytool -list -v -keystore credentials.jceks -storetype JCEKS
Enter keystore password: If your cluster is still using JDK 1.7.xx, you can use knoxcli.sh to change the passwords as shown below: <KNOX_HOME>/bin/knoxcli.sh list-alias --cluster ambari
<KNOX_HOME>/bin/knoxcli.sh delete-alias ambari.ldap.manager.password --cluster ambari
<KNOX_HOME>/bin/knoxcli.sh create-alias ambari.ldap.manager.password --cluster ambari --value <password-to-be-stored>
... View more
- Find more articles tagged with:
- ambari-server
- How-ToTutorial
- Security
Labels:
06-09-2017
04:24 PM
2 Kudos
Configure SSL for Ambari Server # On ambari-server host, take a back up of
existing files mkdir
/root/ambari-ssl-backup; cp -r /var/lib/ambari-server/keys/*
/root/ambari-ssl-backup/ # Navigate to the folder where all
certificates are stored. cd <dir> # Extract certificates from p7b file openssl
pkcs7 –in ambari-server-host-cert.p7b –print_certs > ambari-server-host-name.crt # Above .crt file contains full certificate
chain, so separate server certificate from root chain. Copy the intermediate/root chain to ca.crt
and delete intermediate/root chain from ambari-server-host-name.crt # Copy ca.crt, ambari-server-host-name.crt, ambari-server-host-privateKey.key files to /var/lib/ambari-server/keys/ cp
ca.crt /var/lib/ambari-server/keys/ cp ambari-server-host-privateKey.key /var/lib/ambari-server/keys/ cp ambari-server-host-name.crt /var/lib/ambari-server/keys/ # Update password for the keystore in a
file (Assuming it as ‘changeit’) echo
"changeit" > pass.txt # Generate the keystore for ambari-server.
Ambari uses pkcs12 keystore. Use the above
password when prompted. openssl
pkcs12 –export –out keystore.p12 –inkey ambari-server-host-privateKey.key –in ambari-server-host-name.crt –certfile ca.crt # verify the keystore /usr/jdk64/jdk1.8.0_77/bin/keytool
–list –v –keystore keystore.p12 –storetype pkcs12 –storepass changeit # Create a
truststore with Root/Intermediate/Ambari/and all agent certificates. /usr/jdk64/jdk1.8.0_77/bin/keytool
-import -file ca.crt -keystore truststore.jks -storepass changeit -alias rootCA /usr/jdk64/jdk1.8.0_77/bin/keytool
-import -file ambari-server-host-name.crt -keystore truststore.jks -storepass changeit
-alias ambari-server /usr/jdk64/jdk1.8.0_77/bin/keytool
-import -file ambari-agent-host2.crt -keystore truststore.jks -storepass changeit
-alias ambari-agent-host2 ... # Enable HTTPS for ambari-server ambari-server
setup-security Using
python /usr/bin/python Security
setup options... =========================================================================== Choose
one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore. =========================================================================== Enter
choice, (1-5): 1 Do
you want to configure HTTPS [y/n] (y)? y SSL
port [8443] ? y Enter
path to Certificate: /var/lib/ambari-server/keys/hsynlhdps100.crt Enter
path to Private Key: /var/lib/ambari-server/keys/hsynlhdps100.key Please
enter password for Private Key: <hit
enter if none> Generating
random password for HTTPS keystore...done. Importing
and saving Certificate...done. Ambari
server URL changed. To make use of the Tez View in Ambari please update the
property tez.tez-ui.history-url.base in tez-site # Configure truststore for ambari-server
(This truststore would also contain certificates for AD server(s) in case of
LDAPS between ambari-server and AD) ambari-server
setup-security Using
python /usr/bin/python Security
setup options... =========================================================================== Choose
one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore. =========================================================================== Enter
choice, (1-5): 4 Do
you want to configure a truststore [y/n] (y)? y TrustStore
type [jks/jceks/pkcs12] (jks): jks Path
to TrustStore file :/var/lib/ambari-server/keys/truststore.jks Password
for TrustStore: Re-enter
password: Ambari
Server 'setup-security' completed successfully. # Edit
/etc/ambari-server/conf/ambari.properties, add below properties security.server.two_way_ssl=true security.server.cert_name=ambari-server-host-name.crt security.server.key_name=ambari-server-host-privateKey.key security.server.keystore_name=keystore.p12 security.server.keystore_type=PKCS12 security.server.truststore_name=truststore.jks security.server.truststore_type=JKS security.server.crt_pass_file=pass.txt # Restart Ambari Server ambari-server
restart # Since the certificates were already
created, Ambari Server should not be creating any certificates # Verify by inspecting logs in
/var/log/ambari-server/ambari-server.log xxxxxxxxxxxxxxxxxxx INFO [main] CertificateManager:68 -
Initialization of root certificate xxxxxxxxxxxxxxxxxxx INFO [main] CertificateManager:70 - Certificate exists:true Configure SSL for Ambari Agent ### Repeat steps for every host in the
cluster, including ambari-server host # Extract Agent certificate from p7b file openssl
pkcs7 -in ambari-agent-cert.p7b –print_certs > `hostname –f`.crt # Copy Agent certificate and key cp `hostname –f`.crt /var/lib/ambari-agent/keys/ cp ambari-agent-privateKey.key /var/lib/ambari-agent/keys/`hostname –f`.key # Copy CA certificate (Note: We need to
copy this manually, otherwise the agent will copy over the server certificate
instead of CA certificate) cp
ca.crt /var/lib/ambari-agent/keys/ # Restart Ambari Agent ambari-agent
restart # Verify by inspecting logs in
/var/log/ambari-agent/ambari-agent.log INFO
XXXXXXXXXXXXXXXXXXXXXXX security.py:49 - Server require two-way SSL
authentication. Use it instead of one-way... INFO
XXXXXXXXXXXXXXXXXXXXXXX security.py:175 - Server certicate exists, ok INFO
XXXXXXXXXXXXXXXXXXXXXXX security.py:183 - Agent key exists, ok INFO
XXXXXXXXXXXXXXXXXXXXXXX security.py:191 - Agent certificate exists, ok INFO
XXXXXXXXXXXXXXXXXXXXXXX security.py:93 - SSL Connect being called.. connecting
to the server INFO
XXXXXXXXXXXXXXXXXXXXXXX security.py:77 - SSL connection established. Two-way SSL authentication
completed successfully. INFO
XXXXXXXXXXXXXXXXXXXXXXX Controller.py:149 - Registration Successful (response
id = 0) INFO
XXXXXXXXXXXXXXXXXXXXXXX Controller.py:153 - Got status commands on
registration.
... View more
- Find more articles tagged with:
- ambari-agent
- ambari-server
- How-ToTutorial
- Sandbox & Learning
- Security
- ssl
Labels:
03-28-2017
07:30 PM
1 Kudo
We were not able to auto-create topics after we enabled ranger. Any thoughts?
... View more
Labels:
- Labels:
-
Apache Kafka
03-28-2017
10:52 AM
1 Kudo
If we try to create report on the policy name and download as Excel/CSV – we get the following error. Any thoughts? image001.png image002.png
... View more
Labels:
- Labels:
-
Apache Ranger
02-27-2017
04:55 PM
As per https://cwiki.apache.org/confluence/display/RANGER/Multiple+OU+Ldap+Search+support+for+UserSync, we can configure multiple OU's, by delimiting ranger.usersync.ldap.user.searchbase with ";". In that case, what should be the user search filter? Does it need to be a search filter with an ldap OR query with all the groups?
... View more
Labels:
- Labels:
-
Apache Ranger
09-28-2016
06:28 PM
401 is authentication issue. Can you pls check whether the credentials are correct or not?
... View more
09-28-2016
06:11 PM
Matt, try this: jdbc:hive2://<knox_host>:8443/;ssl=true;sslTrustStore=/var/lib/knox/data/security/keystores/gateway.jks;trustStorePassword=<master_secret>;transportMode=http;httpPath=gateway/default/hive
... View more
09-21-2016
02:37 PM
5 Kudos
Step 1: Take a backup of original configuration:
[~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores
[~]$ mkdir backup
[~]$ mv __gateway-credentials.jceks gateway.jks backup/
Step 2: Create a keystore in PKCS12 format from your
private key file, certificate and root public certificate
[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key
-in <cert.cer> -certfile <root_intermediate>.cer
Step 3: Generate knox keystore
[~]$ cp corp_cert_chain.pfx /var/lib/knox/data-2.4.0.0-169/security/keystores/[~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores/
[~]$ keytool -importkeystore -srckeystore corp_cert_chain.pfx
-srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass
<src-keystore-password> -deststorepass <knox-master-secret>
-srcalias <src-alias> -destalias gateway-identity -destkeypass <knox-master-secret>
Step 4: Store the keystore password in jceks file
[~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase
--value <knox-master-secret>
Step 5: Restart Knox, you should see the below
highlighted lines in your knox logs
[~]$ tail –f /var/log/knox/gateway.log INFO hadoop.gateway (JettySSLService.java:init(106)) - Keystore for the gateway instance found - no need to create one.
INFO hadoop.gateway (JettySSLService.java:logAndValidateCertificate(128)) - The Gateway SSL
certificate is issued to hostname: XXXXXXXXXXXX.
hadoop.gateway (JettySSLService.java:logAndValidateCertificate(131)) - The Gateway SSL
certificate is valid between: 5/3/16 7:00 PM and 5/4/19 6:59 PM.
INFO hadoop.gateway (GatewayServer.java:startGateway(219)) - Starting gateway...
INFO hadoop.gateway (GatewayServer.java:start(311)) - Loading topologies from directory:
/usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies
INFO hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology admin from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/admin.war.152cadc1518
INFO hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology default from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/default.war.154819e2a38
INFO hadoop.gateway (GatewayServer.java:start(315)) - Monitoring topologies in directory:
/usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies
INFO hadoop.gateway (GatewayServer.java:startGateway(232)) - Started gateway on port 8,443
... View more
- Find more articles tagged with:
- how-to-tutorial
- How-ToTutorial
- Knox
- knox-gateway
- LDAP
- Security
- ssl
Labels:
09-19-2016
09:13 PM
3 Kudos
HDPCD Spark certification has 7 questions, you need to get 5 correct to pass the certification. No multiple choice. All questions should be solved programmatically. No credit for partial results. You will be given access to pyspark and spark-shell and access to API, to implement and test the logic of your applications.
... View more
12-18-2015
05:00 PM
4 Kudos
One certificate per server in your cluster.
... View more
09-29-2015
01:34 PM
4 Kudos
LDAPS for Ambari is LDAP+SSL implementation between AD and Ambari server. This can be accomplished by importing self-signed/CA signed certificate of
the AD server into the truststore of the ambari server or $JAVA_HOME/jre/lib/security/cacerts.
... View more
09-28-2015
04:58 PM
5 Kudos
Seems there are hard references to keystore file and gateway alias in the knox implementation. Import client CA signed certs to default keystore file with default alias name.
Default Keystore: /var/lib/knox/data/security/keystores/gateway.jks Default Alias: gateway-identity
... View more