Note | |
---|---|
Only if you are using LDAPS, and the LDAPS server certificate is signed by a trusted Certificate Authority, there is no need to import the certificate into Ambari so this section does not apply to you. If the LDAPS server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must import the certificate and create a keystore file. The following example creates a keystore file at /keys/ldaps-keystore.jks, but you can create it anywhere in the file system: Run the LDAP setup command on the Ambari server and answer the prompts, using the information you collected above: |
mkdir /etc/ambari-server/keys
where the keys directory does not exist, but should be created.
$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /etc/ambari-server/keys/ldaps-keystore.jks
Set a password when prompted. You will use this during ambari-server setup-ldap.
ambari-server setup-ldap
At the
Primary URL*
prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.At the
Secondary URL*
prompt, enter the secondary server URL and port. This value is optional.At the
Use SSL*
prompt, enter your selection. If using LDAPS, entertrue
.At the
User object class*
prompt, enter the object class that is used for users.At the
User name attribute*
prompt, enter your selection. The default value isuid
.At the
Group object class*
prompt, enter the object class that is used for groups.At the
Group name attribute*
prompt, enter the attribute for group name.At the
Group member attribute*
prompt, enter the attribute for group membership.At the
Distinguished name attribute*
prompt, enter the attribute that is used for the distinguished name.At the
Base DN*
prompt, enter your selection.At the
Referral method*
prompt, enter tofollow
orignore
LDAP referrals.At the
Bind anonymously*
prompt, enter your selection.At the
Manager DN*
prompt, enter your selection if you have set bind.Anonymously to false.At the
Enter the Manager Password*
prompt, enter the password for your LDAP manager DN.If you set
Use SSL*
= true in step 3, the following prompt appears:Do you want to provide custom TrustStore for Ambari?
Consider the following options and respond as appropriate.
More secure option: If using a self-signed certificate that you do not want imported to the existing JDK keystore, enter
y
.For example, you want this certificate used only by Ambari, not by any other applications run by JDK on the same host.
If you choose this option, additional prompts appear. Respond to the additional prompts as follows:
At the
TrustStore type
prompt, enterjks
.At the
Path to TrustStore file
prompt, enter/keys/ldaps-keystore.jks
(or the actual path to your keystore file).At the
Password for TrustStore
prompt, enter the password that you defined for the keystore.
Less secure option: If using a self-signed certificate that you want to import and store in the existing, default JDK keystore, enter
n
.Convert the SSL certificate to X.509 format, if necessary, by executing the following command:
openssl x509 -in slapd.pem -out
<slapd.crt>Where <slapd.crt> is the path to the X.509 certificate.
Import the SSL certificate to the existing keystore, for example the default jre certificates storage, using the following instruction:
/usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file slapd.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
Where Ambari is set up to use JDK 1.7. Therefore, the certificate must be imported in the JDK 7 keystore.
Review your settings and if they are correct, select
y
.Start or restart the Server
ambari-server restart
The users you have just imported are initially granted the Ambari User privilege. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, as an Ambari Admin, use
Manage Ambari > Users > Edit
. For instructions, see Managing Users and Groups.