Set Up HTTPS for AMS
If you want to limit access to AMS to HTTPS connections, you must provide a certificate. While it is possible to use a self-signed certificate for initial trials, it is not suitable for production environments. After your get your certificate, you must run a special setup command.
Steps
Create your own CA certificate.
openssl req -new -x509 -keyout ca.key -out ca.crt -days 365
Import CA certificate into the truststore.
# keytool -keystore /<path>/truststore.jks -alias CARoot -import -file ca.crt -storepass bigdata
Check truststore.
# keytool -keystore /<path>/truststore.jks -list Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries caroot, Feb 22, 2016, trustedCertEntry, Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF
You should see trustedCertEntry for CA.
Generate certificate for AMS Collector and store private key in keystore.
# keytool -genkey -alias c6401.ambari.apache.org -keyalg RSA -keysize 1024 -dname "CN=c6401.ambari.apache.org,OU=IT,O=Apache,L=US,ST=US,C=US" -keypass bigdata -keystore /<path>/keystore.jks -storepass bigdata
Note If you use an alias different than the default hostname (c6401.ambari.apache.org), then, in step 12, set the ssl.client.truststore.alias config to use that alias.
Create certificate request for AMS collector certificate.
keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -certreq -file c6401.ambari.apache.org.csr -storepass bigdata
Sign the certificate request with the CA certificate.
openssl x509 -req -CA ca.crt -CAkey ca.key -in c6401.ambari.apache.org.csr -out c6401.ambari.apache.org_signed.crt -days 365 -CAcreateserial -passin pass:bigdata
Import CA certificate into the keystore.
keytool -keystore /<path>/keystore.jks -alias CARoot -import -file ca.crt -storepass bigdata
Import signed certificate into the keystore.
keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -import -file c6401.ambari.apache.org_signed.crt -storepass bigdata
Check keystore.
caroot2, Feb 22, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 7C:B7:0C:27:8E:0D:31:E7:BE:F8:BE:A1:A4:1E:81:22:FC:E5:37:D7 [root@c6401 tmp]# keytool -keystore /tmp/keystore.jks -list Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries caroot, Feb 22, 2016, trustedCertEntry, Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF c6401.ambari.apache.org, Feb 22, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): A2:F9:BE:56:7A:7A:8B:4C:5E:A6:63:60:B7:70:50:43:34:14:EE:AF
You should see PrivateKeyEntry for the ams collector hostname entry and trustedCertEntry for CA.
Copy /<path>/truststore.jks to all nodes to /<path>/truststore.jks and set appropriate access permissions.
Copy /<path>/keystore.jks to AMS collector node ONLY to /<path>/keystore.jks and set appropriate access permissions. Recommended: set owner to ams user and access permnissions to 400.
In Ambari Web, update AMS configs, setams-site/timeline.metrics.service.http.policy=HTTPS_ONLY.
ams-ssl-server/ssl.server.keystore.keypassword=bigdata
ams-ssl-server/ssl.server.keystore.location=/<path>/keystore.jks
ams-ssl-server/ssl.server.keystore.password=bigdata
ams-ssl-server/ssl.server.keystore.type=jks
ams-ssl-server/ssl.server.truststore.location=/<path>/truststore.jks
ams-ssl-server/ssl.server.truststore.password=bigdata
ams-ssl-server/ssl.server.truststore.reload.interval=10000
ams-ssl-server/ssl.server.truststore.type=jks
ams-ssl-client/ssl.client.truststore.location=/<path>/truststore.jks
ams-ssl-client/ssl.client.truststore.password=bigdata
ams-ssl-client/ssl.client.truststore.type=jks
ssl.client.truststore.alias=<Alias used to create certificate for AMS. (Default is hostname)>
Restart services with stale configs.
Configure Ambari server to use truststore.
# ambari-server setup-security Using python /usr/bin/python Security setup options... =========================================================================== Choose one of the following options: [1] Enable HTTPS for Ambari server. [2] Encrypt passwords stored in ambari.properties file. [3] Setup Ambari kerberos JAAS configuration. [4] Setup truststore. [5] Import certificate to truststore. =========================================================================== Enter choice, (1-5): 4 Do you want to configure a truststore [y/n] (y)? TrustStore type [jks/jceks/pkcs12] (jks):jks Path to TrustStore file :/<path>/keystore.jks Password for TrustStore: Re-enter password: Ambari Server 'setup-security' completed successfully.
Configure ambari server to use https instead of http in requests to AMS Collector by adding "server.timeline.metrics.https.enabled=true" to ambari.properties file.
# echo "server.timeline.metrics.https.enabled=true" >> /etc/ambari-server/conf/ambari.properties
Restart ambari server.