Set up https for AMS
Limiting AMS access to only HTTPS connections requires providing a certificate.
-
Create your own CA certificate.
openssl req -new -x509 -keyout ca.key -out ca.crt -days 365
-
Import CA certificate into the truststore.
# keytool -keystore /<path>/truststore.jks -alias CARoot -import -file ca.crt -storepass bigdata
-
Check truststore.
# keytool -keystore /<path>/truststore.jks -list Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries caroot, Feb 22, 2016, trustedCertEntry, Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF
You should see trustedCertEntry for CA. -
Generate certificate for AMS Collector and store private key in keystore.
# keytool -genkey -alias c6401.ambari.apache.org -keyalg RSA -keysize 1024 -dname "CN=c6401.ambari.apache.org,OU=IT,O=Apache,L=US,ST=US,C=US" -keypass bigdata -keystore /<path>/keystore.jks -storepass bigdata
NoteIf you use an alias different than the default hostname (c6401.ambari.apache.org), then, in step 12, set the ssl.client.truststore.alias config to use that alias. -
Create certificate request for AMS collector certificate.
keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -certreq -file c6401.ambari.apache.org.csr -storepass bigdata
-
Sign the certificate request with the CA certificate.
openssl x509 -req -CA ca.crt -CAkey ca.key -in c6401.ambari.apache.org.csr -out c6401.ambari.apache.org_signed.crt -days 365 -CAcreateserial -passin pass:bigdata
-
Import CA certificate into the keystore.
keytool -keystore /<path>/keystore.jks -alias CARoot -import -file ca.crt -storepass bigdata
-
Import signed certificate into the keystore.
keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -import -file c6401.ambari.apache.org_signed.crt -storepass bigdata
-
Check keystore.
caroot2, Feb 22, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 7C:B7:0C:27:8E:0D:31:E7:BE:F8:BE:A1:A4:1E:81:22:FC:E5:37:D7 [root@c6401 tmp]# keytool -keystore /tmp/keystore.jks -list Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries caroot, Feb 22, 2016, trustedCertEntry, Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF c6401.ambari.apache.org, Feb 22, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): A2:F9:BE:56:7A:7A:8B:4C:5E:A6:63:60:B7:70:50:43:34:14:EE:AF
You should see PrivateKeyEntry for the ams collector hostname entry and trustedCertEntry for CA. - Copy /[PATH]/truststore.jks to all nodes to /[PATH]/truststore.jks and set appropriate access permissions.
-
Copy /[PATH]/keystore.jks to AMS collector node ONLY
to /[PATH]/keystore.jks and set appropriate access
permissions.
Recommended: set owner to ams user and access permnissions to 400.
-
In Ambari Web, update the following AMS configs, in Advanced:
- ams-site/timeline.metrics.service.http.policy=HTTPS_ONLY
- ams-ssl-server/ssl.server.keystore.keypassword=bigdata
- ams-ssl-server/ssl.server.keystore.location=/<path>/keystore.jks
- ams-ssl-server/ssl.server.keystore.password=bigdata
- ams-ssl-server/ssl.server.keystore.type=jks
- ams-ssl-server/ssl.server.truststore.location=/<path>/truststore.jks
- ams-ssl-server/ssl.server.truststore.password=bigdata
- ams-ssl-server/ssl.server.truststore.reload.interval=10000
- ams-ssl-server/ssl.server.truststore.type=jks
- ams-ssl-client/ssl.client.truststore.location=/<path>/truststore.jks
- ams-ssl-client/ssl.client.truststore.password=bigdata
- ams-ssl-client/ssl.client.truststore.type=jks
-
In Ambari Web, Add the following AMS config property, using Custom ams-ssl-client > Add Property:
[metrics_collector_hostname_fqdn].ssl.client.truststore.alias=[Alias used to create certificate for AMS on the host with the specified FQDN]. Default is hostname fqdn.
- Restart services with stale configs.
-
Configure Ambari server to use truststore.
# ambari-server setup-security Using python /usr/bin/python Security setup options... =========================================================================== Choose one of the following options: [1] Enable HTTPS for Ambari server. [2] Encrypt passwords stored in ambari.properties file. [3] Setup Ambari kerberos JAAS configuration. [4] Setup truststore. [5] Import certificate to truststore. =========================================================================== Enter choice, (1-5): 4 Do you want to configure a truststore [y/n] (y)? TrustStore type [jks/jceks/pkcs12] (jks):jks Path to TrustStore file :/<path>/keystore.jks Password for TrustStore: Re-enter password: Ambari Server 'setup-security' completed successfully.
-
Configure ambari server to use https instead of http in requests to AMS
Collector by adding "server.timeline.metrics.https.enabled=true" to
ambari.properties file.
# echo "server.timeline.metrics.https.enabled=true" >> /etc/ambari-server/conf/ambari.properties
- Restart ambari server.