Total Pageviews

Enable SSL Ambari server



This blogs shares the steps involved for enable SSL for Ambari-server using KeyStore and Private keys.

For more details click below ---



1. Create Java key store:

[root@hadoopn1 conf]# keytool -genkey -keyalg RSA -alias ambari -keystore ambari-keystore.jks -validity 360 -keysize 2048
Enter keystore password:Hadoopadmin1 
Re-enter new password:Hadoopadmin1 
What is your first and last name?
  [Unknown]:  hadoop
What is the name of your organizational unit?
  [Unknown]:  hadoopn1.hdpca.com   <<< This should be your FQDN name.
What is the name of your organization?
  [Unknown]:  hadoopsirji
What is the name of your City or Locality?
  [Unknown]:ENTER
What is the name of your State or Province?
  [Unknown]:ENTER
What is the two-letter country code for this unit?
  [Unknown]:IN
Is CN=hadoopn1.hdpca.com, OU=hdpca.com, O=hadoopsirji, L=Unknown, ST=Unknown, C=IN correct?
  [no]:  yes
Enter key password for <ambari>
        (RETURN if same as keystore password):

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ambari-keystore.jks -destkeystore ambari-keystore.jks -deststoretype pkcs12".

[root@hadoopn1 conf]# ls -lrt
total 20
-rw-r--r-- 1 root root 2379 Jul 19  2015 log4j.properties
-rw-r--r-- 1 root root  286 Jul 19  2015 krb5JAASLogin.conf
-rw-r----- 1 root root    7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
[root@hadoopn1 conf]#


2. Export cert to server.cer file

keytool -export -alias ambari -file hadoopn1.cer -keystore ambari-keystore.jks


[root@hadoopn1 conf]# keytool -export -alias ambari -file hadoopn1.cer -keystore ambari-keystore.jks
Enter keystore password:Hadoopadmin1 
Certificate stored in file <hadoopn1.cer>


Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ambari-keystore.jks -destkeystore ambari-keystore.jks -deststoretype pkcs12".

[root@hadoopn1 conf]# ls -lrt
total 24
-rw-r--r-- 1 root root 2379 Jul 19  2015 log4j.properties
-rw-r--r-- 1 root root  286 Jul 19  2015 krb5JAASLogin.conf
-rw-r----- 1 root root    7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
-rw-r--r-- 1 root root  891 Dec 27 09:56 hadoopn1.cer
[root@hadoopn1 conf]#


3. Convert .cer file from DER format to PEM format

openssl x509 -in hadoopn1.cer -inform der -outform pem -out hadoopn1.pem

[root@hadoopn1 conf]# openssl x509 -in hadoopn1.cer -inform der -outform pem -out hadoopn1.pem

[root@hadoopn1 conf]# ls -lrt

total 28
-rw-r--r-- 1 root root 2379 Jul 19  2015 log4j.properties
-rw-r--r-- 1 root root  286 Jul 19  2015 krb5JAASLogin.conf
-rw-r----- 1 root root    7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
-rw-r--r-- 1 root root  891 Dec 27 09:56 hadoopn1.cer
-rw-r--r-- 1 root root 1261 Dec 27 09:57 hadoopn1.pem



3. Export Privatekey to PKCS12

keytool -v -importkeystore -srckeystore ambari-keystore.jks -srcalias ambari -destkeystore hadoopn1_pkcs12File.p12 -deststoretype PKCS12

[root@hadoopn1 conf]# keytool -v -importkeystore -srckeystore ambari-keystore.jks -srcalias ambari -destkeystore hadoopn1_pkcs12File.p12 -deststoretype PKCS12
Importing keystore ambari-keystore.jks to hadoopn1_pkcs12File.p12...
Enter destination keystore password:
Re-enter new password:Hadoopadmin1 
Enter source keystore password:Hadoopadmin1 
[Storing hadoopn1_pkcs12File.p12]

[root@hadoopn1 conf]#
[root@hadoopn1 conf]# ls -lrt
total 32
-rw-r--r-- 1 root root 2379 Jul 19  2015 log4j.properties
-rw-r--r-- 1 root root  286 Jul 19  2015 krb5JAASLogin.conf
-rw-r----- 1 root root    7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
-rw-r--r-- 1 root root  891 Dec 27 09:56 hadoopn1.cer
-rw-r--r-- 1 root root 1261 Dec 27 09:57 hadoopn1.pem
-rw-r--r-- 1 root root 2583 Dec 27 09:58 hadoopn1_pkcs12File.p12


4. Now convert private key PKCS12 to PEM format

openssl pkcs12 -in hadoopn1_pkcs12File.p12 -out hadoopn1_privateKey.pem

[root@hadoopn1 conf]# openssl pkcs12 -in hadoopn1_pkcs12File.p12 -out hadoopn1_privateKey.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:Hadoopadmin1 
Verifying - Enter PEM pass phrase:Hadoopadmin1 


[root@hadoopn1 conf]# ls -lrt
total 36
-rw-r--r-- 1 root root 2379 Jul 19  2015 log4j.properties
-rw-r--r-- 1 root root  286 Jul 19  2015 krb5JAASLogin.conf
-rw-r----- 1 root root    7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks   <<<<<< Ambari-KEYStore
-rw-r--r-- 1 root root  891 Dec 27 09:56 hadoopn1.cer
-rw-r--r-- 1 root root 1261 Dec 27 09:57 hadoopn1.pem     <<<<<<<<<<<<<<< Server PEM file
-rw-r--r-- 1 root root 2583 Dec 27 09:58 hadoopn1_pkcs12File.p12
-rw-r--r-- 1 root root 3492 Dec 27 09:59 hadoopn1_privateKey.pem <<<<<<<<<<< Private PEM file


5. Run the special setup command and answer the prompts.

Steps:
ambari-server setup-security
Select 1 for Enable HTTPS for Ambari server.
Respond y to Do you want to configure HTTPS ?
Select the port you want to use for SSL. The default port number is 8443.
Provide the complete path to your certificate file ($wserver.crt from above) and private key file ($wserver.key from above).
Provide the password for the private key. 
Start or restart the Server
ambari-server restart


[root@hadoopn1 conf]# ambari-server setup-security
Using python  /usr/bin/python2.6
Security setup options...
======================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
======================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)? (Enter for default Yes)
SSL port [8443] ? 8440
Port for https can't match the port for one way authentication port(8440)
SSL port [8443] ? (Enter for default or of your choice) 
Enter path to Certificate: /etc/ambari-server/conf/hadoopn1.pem
Enter path to Private Key: /etc/ambari-server/conf/hadoopn1_privateKey.pem
Please enter password for Private Key:Hadoopadmin1 
Importing and saving Certificate...done.
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start")

[root@hadoopn1 conf]# ambari-server restartUsing python  /usr/bin/python2.6
Restarting ambari-server
Using python  /usr/bin/python2.6
Stopping ambari-server
Ambari Server stopped
Using python  /usr/bin/python2.6
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start....................
Ambari Server 'start' completed successfully.




6. Trust Store Setup -
If you plan to use Ambari Views with your Ambari Server, after enabling SSL for Ambari using the instructions below,
you must also configure a Truststore for the Ambari Server. Refer to Set Up Truststore for Ambari Server for more information.
https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_set_up_truststore_for_ambari_server.html


6.1  On the Ambari Server, create a new keystore that will contain the Ambari Server's HTTPS certificate.

keytool -import -file <path_to_the_Ambari_Server's_SSL_Certificate> -alias ambari-server -keystore ambari-server-truststore




6.2 Configure the ambari-server to use this new trust store:
ambari-server setup-security
Using python  /usr/bin/python2.6
Security setup options...
===========================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): *4*
Do you want to configure a truststore [y/n] (y)? *y*
TrustStore type [jks/jceks/pkcs12] (jks): *jks*
Path to TrustStore file : /etc/ambari-server/conf/ambari-keystore.jks
Password for TrustStore: Hadoopadmin1  (You can mention your new Password for Trust_store)
Re-enter password: Hadoopadmin1  (You can mention your new Password for Trust_store)
Ambari Server 'setup-security' completed successfully.

No comments:

Post a Comment