This blogs shares the steps involved for enable SSL for Ambari-server using KeyStore and Private keys.
For more details click below ---
1. Create Java key store:
[root@hadoopn1 conf]# keytool -genkey -keyalg RSA -alias ambari -keystore ambari-keystore.jks -validity 360 -keysize 2048
Enter keystore password:Hadoopadmin1
Re-enter new password:Hadoopadmin1
What is your first and last name?
[Unknown]: hadoop
What is the name of your organizational unit?
[Unknown]: hadoopn1.hdpca.com <<< This should be your FQDN name.
What is the name of your organization?
[Unknown]: hadoopsirji
What is the name of your City or Locality?
[Unknown]:ENTER
What is the name of your State or Province?
[Unknown]:ENTER
What is the two-letter country code for this unit?
[Unknown]:IN
Is CN=hadoopn1.hdpca.com, OU=hdpca.com, O=hadoopsirji, L=Unknown, ST=Unknown, C=IN correct?
[no]: yes
Enter key password for <ambari>
(RETURN if same as keystore password):
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ambari-keystore.jks -destkeystore ambari-keystore.jks -deststoretype pkcs12".
[root@hadoopn1 conf]# ls -lrt
total 20
-rw-r--r-- 1 root root 2379 Jul 19 2015 log4j.properties
-rw-r--r-- 1 root root 286 Jul 19 2015 krb5JAASLogin.conf
-rw-r----- 1 root root 7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
[root@hadoopn1 conf]#
2. Export cert to server.cer file
keytool -export -alias ambari -file hadoopn1.cer -keystore ambari-keystore.jks
[root@hadoopn1 conf]# keytool -export -alias ambari -file hadoopn1.cer -keystore ambari-keystore.jks
Enter keystore password:Hadoopadmin1
Certificate stored in file <hadoopn1.cer>
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ambari-keystore.jks -destkeystore ambari-keystore.jks -deststoretype pkcs12".
[root@hadoopn1 conf]# ls -lrt
total 24
-rw-r--r-- 1 root root 2379 Jul 19 2015 log4j.properties
-rw-r--r-- 1 root root 286 Jul 19 2015 krb5JAASLogin.conf
-rw-r----- 1 root root 7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
-rw-r--r-- 1 root root 891 Dec 27 09:56 hadoopn1.cer
[root@hadoopn1 conf]#
3. Convert .cer file from DER format to PEM format
openssl x509 -in hadoopn1.cer -inform der -outform pem -out hadoopn1.pem
[root@hadoopn1 conf]# openssl x509 -in hadoopn1.cer -inform der -outform pem -out hadoopn1.pem
[root@hadoopn1 conf]# ls -lrt
total 28
-rw-r--r-- 1 root root 2379 Jul 19 2015 log4j.properties
-rw-r--r-- 1 root root 286 Jul 19 2015 krb5JAASLogin.conf
-rw-r----- 1 root root 7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
-rw-r--r-- 1 root root 891 Dec 27 09:56 hadoopn1.cer
-rw-r--r-- 1 root root 1261 Dec 27 09:57 hadoopn1.pem
3. Export Privatekey to PKCS12
keytool -v -importkeystore -srckeystore ambari-keystore.jks -srcalias ambari -destkeystore hadoopn1_pkcs12File.p12 -deststoretype PKCS12
[root@hadoopn1 conf]# keytool -v -importkeystore -srckeystore ambari-keystore.jks -srcalias ambari -destkeystore hadoopn1_pkcs12File.p12 -deststoretype PKCS12
Importing keystore ambari-keystore.jks to hadoopn1_pkcs12File.p12...
Enter destination keystore password:
Re-enter new password:Hadoopadmin1
Enter source keystore password:Hadoopadmin1
[Storing hadoopn1_pkcs12File.p12]
[root@hadoopn1 conf]#
[root@hadoopn1 conf]# ls -lrt
total 32
-rw-r--r-- 1 root root 2379 Jul 19 2015 log4j.properties
-rw-r--r-- 1 root root 286 Jul 19 2015 krb5JAASLogin.conf
-rw-r----- 1 root root 7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks
-rw-r--r-- 1 root root 891 Dec 27 09:56 hadoopn1.cer
-rw-r--r-- 1 root root 1261 Dec 27 09:57 hadoopn1.pem
-rw-r--r-- 1 root root 2583 Dec 27 09:58 hadoopn1_pkcs12File.p12
4. Now convert private key PKCS12 to PEM format
openssl pkcs12 -in hadoopn1_pkcs12File.p12 -out hadoopn1_privateKey.pem
[root@hadoopn1 conf]# openssl pkcs12 -in hadoopn1_pkcs12File.p12 -out hadoopn1_privateKey.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:Hadoopadmin1
Verifying - Enter PEM pass phrase:Hadoopadmin1
[root@hadoopn1 conf]# ls -lrt
total 36
-rw-r--r-- 1 root root 2379 Jul 19 2015 log4j.properties
-rw-r--r-- 1 root root 286 Jul 19 2015 krb5JAASLogin.conf
-rw-r----- 1 root root 7 Dec 26 10:18 password.dat
-rw-r--r-- 1 root root 3608 Dec 26 10:18 ambari.properties
-rw-r--r-- 1 root root 2243 Dec 27 09:53 ambari-keystore.jks <<<<<< Ambari-KEYStore
-rw-r--r-- 1 root root 891 Dec 27 09:56 hadoopn1.cer
-rw-r--r-- 1 root root 1261 Dec 27 09:57 hadoopn1.pem <<<<<<<<<<<<<<< Server PEM file
-rw-r--r-- 1 root root 2583 Dec 27 09:58 hadoopn1_pkcs12File.p12
-rw-r--r-- 1 root root 3492 Dec 27 09:59 hadoopn1_privateKey.pem <<<<<<<<<<< Private PEM file
5. Run the special setup command and answer the prompts.
Steps:
ambari-server setup-security
Select 1 for Enable HTTPS for Ambari server.
Respond y to Do you want to configure HTTPS ?
Select the port you want to use for SSL. The default port number is 8443.
Provide the complete path to your certificate file ($wserver.crt from above) and private key file ($wserver.key from above).
Provide the password for the private key.
Start or restart the Server
ambari-server restart
[root@hadoopn1 conf]# ambari-server setup-security
Using python /usr/bin/python2.6
Security setup options...
======================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
======================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)? (Enter for default Yes)
SSL port [8443] ? 8440
Port for https can't match the port for one way authentication port(8440)
SSL port [8443] ? (Enter for default or of your choice)
Enter path to Certificate: /etc/ambari-server/conf/hadoopn1.pem
Enter path to Private Key: /etc/ambari-server/conf/hadoopn1_privateKey.pem
Please enter password for Private Key:Hadoopadmin1
Importing and saving Certificate...done.
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start")
[root@hadoopn1 conf]# ambari-server restartUsing python /usr/bin/python2.6
Restarting ambari-server
Using python /usr/bin/python2.6
Stopping ambari-server
Ambari Server stopped
Using python /usr/bin/python2.6
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start....................
Ambari Server 'start' completed successfully.
6. Trust Store Setup -
If you plan to use Ambari Views with your Ambari Server, after enabling SSL for Ambari using the instructions below,
you must also configure a Truststore for the Ambari Server. Refer to Set Up Truststore for Ambari Server for more information.
https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_set_up_truststore_for_ambari_server.html
6.1 On the Ambari Server, create a new keystore that will contain the Ambari Server's HTTPS certificate.
keytool -import -file <path_to_the_Ambari_Server's_SSL_Certificate> -alias ambari-server -keystore ambari-server-truststore
6.2 Configure the ambari-server to use this new trust store:
ambari-server setup-security
Using python /usr/bin/python2.6
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): *4*
Do you want to configure a truststore [y/n] (y)? *y*
TrustStore type [jks/jceks/pkcs12] (jks): *jks*
Path to TrustStore file : /etc/ambari-server/conf/ambari-keystore.jks
Password for TrustStore: Hadoopadmin1 (You can mention your new Password for Trust_store)
Re-enter password: Hadoopadmin1 (You can mention your new Password for Trust_store)
Ambari Server 'setup-security' completed successfully.
No comments:
Post a Comment