Enable Knox for SSL - stanislawbartkowski/hdpwiredencryption GitHub Wiki
Knox UI is enabled for SSL immediately after installation. As a default, self-signed certificated and keystore is created. In order to replace it with CA-signed certificate, follow the guidelines.
If "Knox Master Secret" is still available, just recreate CA keystore in /usr/hdp/current/knox-server/data/security/keystores/gateway.jks using "Knox Master Secret" password and CA-signed key/certificate under gateway-identity alias.
If "Knox Master Secret" is lost, all Knox keystores should be scratched and recreated.
https://www.ibm.com/support/pages/ibm-biginsights-how-update-knox-master-secret-password
- Backup existing keystores in /usr/hdp/current/knox-server/data/security/keystores directory
- Stop Knox Gateway service
- Clean /usr/hdp/current/knox-server/data/security/keystores directory
- Run command to set up new "Knox Master Secret" password :
/usr/hdp/3.1.5.0-152/knox/bin/knoxcli.sh create-master --force
- Recreate CA-signed keystore using new "Knox Master Secret" password and alias gateway-identity
/usr/hdp/current/knox-server/data/security/keystores/gateway.jks
- Secure all keystores in /usr/hdp/current/knox-server/data/security/keystores.
chmod 440 /usr/hdp/current/knox-server/data/security/keystores/
chown knox: /usr/hdp/current/knox-server/data/security/keystores/
- Start Knox Gateway service
Launch Knox UI. In the test environment, start Demo LDAP and default UI credentials are admin/admin-password.
Warning: the Ranger Plugin SSL does not seem working after applying below procedure! Requires further investigation.
Very similar steps like HDFS plugin only tailored for Knox Gateway
On Knox Gateway node, prepare Ranger plugin keystore.
cd /etc/knox/conf/
Important: keep in mind CN name, do not use FQDN hostname, the CN name should be different than all other plugins CN names.
keytool -genkey -keyalg RSA -alias rangerKnoxAgent -keystore ranger-plugin-keystore.jks -validity 360 -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: rangerknoxplugin
What is the name of your organizational unit?
[Unknown]: AA
What is the name of your organization?
[Unknown]: BB
Create Knox Ranger Plugin truststore, import Ranger Admin certificate
keytool -import -file /root/ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks
Secure stores
chown knox: *.jks
chmod 400 *jks
Export Ranger Plugin certificate
keytool -export -keystore ranger-plugin-keystore.jks -alias rangerKnoxAgent -file ranger-knoxAgent-trust.cer
On Ranger Admin node, import certificate into Ranger Admin trustore, use a different alias name.
cd /etc/ranger/admin/conf
keytool -import -file /root/ranger-knoxAgent-trust.cer -alias rangerKnoxAgentTrust -keystore ranger-admin-truststore.jks
Knox->Configs->Advanced->Advanced ranger-stlas-policymgr-ssl
| Property | Sample value |
|---|---|
| xasecure.policymgr.clientssl.keystore | /etc/knox/conf/ranger-plugin-keystore.jks |
| xasecure.policymgr.clientssl.keystore.password | secret |
| xasecure.policymgr.clientssl.truststore | /etc/knox/conf/ranger-plugin-truststore.jks |
| xasecure.policymgr.clientssl.truststore.password | secret |
Restart Knox and Ranger
Ranger Admin UI-> Access Manager -> <cluster_name>_knox
Provide DN of Ranger Knox Plugin certificate to Common Name for Certificate field.
Audit-> Plugins
<cluster>_knox should declare HTTP Response Code 200 with fresh date.