Add SSL certificate for Knox Gateway
When Knox-powered Gateway is enabled, use these steps if you would like to add an SSL certificate for Ambari and/or other cluster UIs exposed through the Gateway.
- Obtain a trusted SSL certificate.
- If needed, perform the following to make sure that your certificate is compatible with the
- If the certificate is not already in p12 format, export the certificate into p12 format.
openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name gateway-identity -password pass:$mastersecret
- Ensure that the certificate alias is “gateway-identity”.
- Ensure that the store password matches the master secret created earlier. You can obtain
the master secret of the Knox by using the following
cat /srv/pillar/gateway/init.sls | grep mastersecret
- Note the key password used – as you need to create an alias for this password.
- If the certificate is not already in p12 format, export the certificate into p12 format. For example:
- Access the cluster's master node via ssh.
- Obtain root access by using
- Use keytool to import the desired certificate/key pair into the java keystore that Knox is
using. You can find the java keystore the following path:
Example command for importing your certificate into the jks:
keytool -importkeystore -deststorepass $mastersecret -destkeypass $mastersecret -destkeystore gateway.jks -srckeystore /usr/hdp/current/knox-server/data/security/keystores/custom_certs/identity.p12 -srcstoretype PKCS12 -srcstorepass $mastersecret -alias gateway-identity
- Restart Knox by using the following
This command stops Knox, but systemd automatically restarts it. To validate that it is restarted, use:
netstat -tlpn | grep 8443
Here is example output showing that the restart was successful:
netstat -tlpn | grep 8443 tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 13177/java
- Using your web browser, access the Ambari web UI.
- Confirm that the connection is SSL-protected and that the certificate used is the certificate that you provided.