Ambari Server on SSL - stanislawbartkowski/hdpwiredencryption GitHub Wiki
Prepare private key and certificate
Out of the box, the Ambari Server is listening on HTTP non-secure port. Moving Ambari Server to SSL protected connection is very easy.
You can use a self-signed certificate or CA-signed certificate. In order to import them into Ambari Server managed key store, you need a separate private key and corresponding public certificate. In order to reuse existing CA trustore, it is necessary to export them. Below are the necessary steps.
Transform existing CA-signed keystore into .p12 format.
cd /etc/ambari-server/conf keytool -importkeystore -srckeystore /etc/security/serverKeys/keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
Export private key in PEM format.
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out cert.key
Export certificate chain in PEM format.
openssl pkcs12 -in keystore.p12 -nodes -nokeys -out cert.crt
Import key and certificate into Ambari Server
- Certificate path: /etc/ambari-server/conf/cert.crt
- Private key path: /etc/ambari-server/conf/cert.key
The default secure port is 8443. Make sure that the port is not occupied by another service. For instance: Knox Gateway is also using 8443 port. If it is the case, use a different port.
Use this command to check the port availability:
netstat -anp | grep 8443
Configure Ambari Server
ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)? y
SSL port [8443] ?
Enter path to Certificate: /etc/ambari-server/conf/cert.crt
Enter path to Private Key: /etc/ambari-server/conf/cert.key
Please enter password for Private Key:
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start")
Restart Ambari Server.
Verify
Open Ambari Server Console on a secure port: https://\<ambari host>:8443
Ambari Views
Make sure that Ambari truststore is created. https://github.com/stanislawbartkowski/hdpwiredencryption#ambari-metrics
Import into Ambari truststore certificates from NameNode(s) and RM nodes.
In case of RM (Yarn Queue Manager) verify /etc/hosts. If RM static address is included there, make sure that FQDN name precedes short hostname. Otherwise, Yarn Queue Manager will resolve RM IP address to a short hostname and will not find a certificate having FQDN as CN value.
192.168.122.111 hdm1.sb.com hdm1