You can setup encryption for the passwords stored in the Ambari properties file by running: On the Ambari server host, ambari-server setup-security This creates two files under /var/lib/ambari-server/keys, 1. credentials.jceks 2. master This article explains how to change the alias passwords stored in credentials.jceks without resetting encryption. Step 1: Take a backup of existing files cd /var/lib/ambari-server/keys cp master master.old cp credentials.jceks credentials.old.jceks If your cluster has JDK 1.8.xx installed, follow the below procedure: <JDK_HOME>/bin/keytool -list -v -keystore credentials.jceks -storetype JCEKS Enter keystore password: <JDK_HOME>/bin/keytool -delete -alias ambari.ldap.manager.password -keystore credentials.jceks -storetype JCEKS Enter keystore password: <JDK_HOME>/bin/keytool -importpass -alias ambari.ldap.manager.password -keystore credentials.jceks -storetype JCEKS Enter keystore password: Enter the password to be stored: Re-enter password: Enter key password for <ambari.ldap.manager.password> (RETURN if same as keystore password): ----> Hit enter /apps/jdk1.8.0_121/bin/keytool -list -v -keystore credentials.jceks -storetype JCEKS Enter keystore password: If your cluster is still using JDK 1.7.xx, you can use knoxcli.sh to change the passwords as shown below: <KNOX_HOME>/bin/knoxcli.sh list-alias --cluster ambari <KNOX_HOME>/bin/knoxcli.sh delete-alias ambari.ldap.manager.password --cluster ambari <KNOX_HOME>/bin/knoxcli.sh create-alias ambari.ldap.manager.password --cluster ambari --value <password-to-be-stored> ... View more

Configure SSL for Ambari Server # On ambari-server host, take a back up of existing files mkdir /root/ambari-ssl-backup; cp -r /var/lib/ambari-server/keys/* /root/ambari-ssl-backup/ # Navigate to the folder where all certificates are stored. cd <dir> # Extract certificates from p7b file openssl pkcs7 –in ambari-server-host-cert.p7b –print_certs > ambari-server-host-name.crt # Above .crt file contains full certificate chain, so separate server certificate from root chain. Copy the intermediate/root chain to ca.crt and delete intermediate/root chain from ambari-server-host-name.crt # Copy ca.crt, ambari-server-host-name.crt, ambari-server-host-privateKey.key files to /var/lib/ambari-server/keys/ cp ca.crt /var/lib/ambari-server/keys/ cp ambari-server-host-privateKey.key /var/lib/ambari-server/keys/ cp ambari-server-host-name.crt /var/lib/ambari-server/keys/ # Update password for the keystore in a file (Assuming it as ‘changeit’) echo "changeit" > pass.txt # Generate the keystore for ambari-server. Ambari uses pkcs12 keystore. Use the above password when prompted. openssl pkcs12 –export –out keystore.p12 –inkey ambari-server-host-privateKey.key –in ambari-server-host-name.crt –certfile ca.crt # verify the keystore /usr/jdk64/jdk1.8.0_77/bin/keytool –list –v –keystore keystore.p12 –storetype pkcs12 –storepass changeit # Create a truststore with Root/Intermediate/Ambari/and all agent certificates. /usr/jdk64/jdk1.8.0_77/bin/keytool -import -file ca.crt -keystore truststore.jks -storepass changeit -alias rootCA /usr/jdk64/jdk1.8.0_77/bin/keytool -import -file ambari-server-host-name.crt -keystore truststore.jks -storepass changeit -alias ambari-server /usr/jdk64/jdk1.8.0_77/bin/keytool -import -file ambari-agent-host2.crt -keystore truststore.jks -storepass changeit -alias ambari-agent-host2 ... # Enable HTTPS for ambari-server ambari-server setup-security Using python /usr/bin/python Security setup options... =========================================================================== Choose one of the following options: [1] Enable HTTPS for Ambari server. [2] Encrypt passwords stored in ambari.properties file. [3] Setup Ambari kerberos JAAS configuration. [4] Setup truststore. [5] Import certificate to truststore. =========================================================================== Enter choice, (1-5): 1 Do you want to configure HTTPS [y/n] (y)? y SSL port [8443] ? y Enter path to Certificate: /var/lib/ambari-server/keys/hsynlhdps100.crt Enter path to Private Key: /var/lib/ambari-server/keys/hsynlhdps100.key Please enter password for Private Key: <hit enter if none> Generating random password for HTTPS keystore...done. Importing and saving Certificate...done. Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site # Configure truststore for ambari-server (This truststore would also contain certificates for AD server(s) in case of LDAPS between ambari-server and AD) ambari-server setup-security Using python /usr/bin/python Security setup options... =========================================================================== Choose one of the following options: [1] Enable HTTPS for Ambari server. [2] Encrypt passwords stored in ambari.properties file. [3] Setup Ambari kerberos JAAS configuration. [4] Setup truststore. [5] Import certificate to truststore. =========================================================================== Enter choice, (1-5): 4 Do you want to configure a truststore [y/n] (y)? y TrustStore type [jks/jceks/pkcs12] (jks): jks Path to TrustStore file :/var/lib/ambari-server/keys/truststore.jks Password for TrustStore: Re-enter password: Ambari Server 'setup-security' completed successfully. # Edit /etc/ambari-server/conf/ambari.properties, add below properties security.server.two_way_ssl=true security.server.cert_name=ambari-server-host-name.crt security.server.key_name=ambari-server-host-privateKey.key security.server.keystore_name=keystore.p12 security.server.keystore_type=PKCS12 security.server.truststore_name=truststore.jks security.server.truststore_type=JKS security.server.crt_pass_file=pass.txt # Restart Ambari Server ambari-server restart # Since the certificates were already created, Ambari Server should not be creating any certificates # Verify by inspecting logs in /var/log/ambari-server/ambari-server.log xxxxxxxxxxxxxxxxxxx INFO [main] CertificateManager:68 - Initialization of root certificate xxxxxxxxxxxxxxxxxxx INFO [main] CertificateManager:70 - Certificate exists:true Configure SSL for Ambari Agent ### Repeat steps for every host in the cluster, including ambari-server host # Extract Agent certificate from p7b file openssl pkcs7 -in ambari-agent-cert.p7b –print_certs > `hostname –f`.crt # Copy Agent certificate and key cp `hostname –f`.crt /var/lib/ambari-agent/keys/ cp ambari-agent-privateKey.key /var/lib/ambari-agent/keys/`hostname –f`.key # Copy CA certificate (Note: We need to copy this manually, otherwise the agent will copy over the server certificate instead of CA certificate) cp ca.crt /var/lib/ambari-agent/keys/ # Restart Ambari Agent ambari-agent restart # Verify by inspecting logs in /var/log/ambari-agent/ambari-agent.log INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:49 - Server require two-way SSL authentication. Use it instead of one-way... INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:175 - Server certicate exists, ok INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:183 - Agent key exists, ok INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:191 - Agent certificate exists, ok INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:93 - SSL Connect being called.. connecting to the server INFO XXXXXXXXXXXXXXXXXXXXXXX security.py:77 - SSL connection established. Two-way SSL authentication completed successfully. INFO XXXXXXXXXXXXXXXXXXXXXXX Controller.py:149 - Registration Successful (response id = 0) INFO XXXXXXXXXXXXXXXXXXXXXXX Controller.py:153 - Got status commands on registration. ... View more

Step 1: Take a backup of original configuration: [~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores [~]$ mkdir backup [~]$ mv __gateway-credentials.jceks gateway.jks backup/ Step 2: Create a keystore in PKCS12 format from your private key file, certificate and root public certificate [~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer Step 3: Generate knox keystore [~]$ cp corp_cert_chain.pfx /var/lib/knox/data-2.4.0.0-169/security/keystores/[~]$ cd /var/lib/knox/data-2.4.0.0-169/security/keystores/ [~]$ keytool -importkeystore -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -srcalias <src-alias> -destalias gateway-identity -destkeypass <knox-master-secret> Step 4: Store the keystore password in jceks file [~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase --value <knox-master-secret> Step 5: Restart Knox, you should see the below highlighted lines in your knox logs [~]$ tail –f /var/log/knox/gateway.log INFO hadoop.gateway (JettySSLService.java:init(106)) - Keystore for the gateway instance found - no need to create one. INFO hadoop.gateway (JettySSLService.java:logAndValidateCertificate(128)) - The Gateway SSL certificate is issued to hostname: XXXXXXXXXXXX. hadoop.gateway (JettySSLService.java:logAndValidateCertificate(131)) - The Gateway SSL certificate is valid between: 5/3/16 7:00 PM and 5/4/19 6:59 PM. INFO hadoop.gateway (GatewayServer.java:startGateway(219)) - Starting gateway... INFO hadoop.gateway (GatewayServer.java:start(311)) - Loading topologies from directory: /usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies INFO hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology admin from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/admin.war.152cadc1518 INFO hadoop.gateway (GatewayServer.java:handleCreateDeployment(450)) - Loading topology default from /usr/hdp/2.4.0.0-169/knox/bin/../data/deployments/default.war.154819e2a38 INFO hadoop.gateway (GatewayServer.java:start(315)) - Monitoring topologies in directory: /usr/hdp/2.4.0.0-169/knox/bin/../conf/topologies INFO hadoop.gateway (GatewayServer.java:startGateway(232)) - Started gateway on port 8,443 ... View more