Configuring Knox SSO for HA clusters
In a High Availability set up, the load balancer distributes the incoming requests to multiple Knox instances.
Follow these instructions only if you choose to configure secure clusters.
The format of the Knox SSO URL is as follows:
address is the
host:port of the load balancer pointing to the Knox instance.
You can obtain the value of the load balancer’s host and port from the following
However, if you are unable to locate the URL, then contact the one who set up Knox in HA mode for you.
You need to obtain the Knox certificate (also known as the knox_publickey) from the Knox gateway host.
SSH in to the Knox gateway host with a
Obtain the Knox certificate by running the following commands, depending on
whether you have set the
gateway.signing.keystore.nameparameter under the Knox configurations:
If you have set the
gateway.signing.keystore.nameparameter, go to the Knox data folder and run the following command:
keytool -exportcert -alias <gateway.signing.key.alias> -keypass <knox-secret> -keystore security/keystores/<gateway.signing.keystore.name> -storepass <knox-secret> -rfcwhere,
gateway.signing.keystore.nameis typically a filename with
.jksextension. For example,
storepassare the Knox secret passwords that you specified while creating the .jks file. For example,
The value of
gateway.signing.key.aliascan be obtained from Knox Config in Ambari or in the
/etc/knox/conf/gateway-site.xmlfile. For example,
If you have not set the
gateway.signing.keystore.nameparameter, extract the certificate from the
gateway.jksfile by running the following command:
/usr/hdp/current/knox-server/bin/knoxcli.sh export-cert --type PEMNote
gateway.jksfile is automatically created when Knox is started for the first time. If you have already integrated Knox SSO earlier, then the
gateway-identity.pemfile would exist. Check whether the
gateway-identity.pemfile exists or not before running this command.
The certificate is extracted from the
gateway.jksfile and is stored in a file called
gateway-identity.pemlocated under the /var/lib/knox/data-<version>-<build-no>/security/keystores/ directory.
- If you have set the
Enable the Knox SSO topology settings. From the Ambari UI, go to
and make the following configuration changes:
- Specify KNOX_SSO in the user_authentication field.
Add the list of users in the admin_users field
who need admin access to DAS.
You can specify
*(asterisk) in the admin_users field to make all users the admin users.NoteOnly admin users have access to all the queries. Non-admin users can access only their queries.
Specify the Knox SSO URL in the knox_sso_url
field in the following format:
- Copy the contents of the Knox certificate file that you extracted earlier in the knox_publickey field without the header and the footer.
- Click Save and click through the confirmation pop-ups.
- Restart DAS and any services that require restart by clicking .