Installing and Setting Up Knox SSO
Also available as:
PDF

Setting Up Knox SSO

You can set up Knox to handle authentication when you access the user interfaces and REST APIs. After you set up Knox, basic authentication is still an option for making requests directly to the REST application, but any request to the user interfaces must go through Knox first and contain the proper security token.

  • Ensure that you have enabled LDAP on the Metron Security page in Ambari. Knox and Metron must be configured to use the same LDAP.
  • Ensure that you have installed the Metron client component on all Knox gateway hosts.
  1. Navigate to Ambari > Hosts > $METRON_HOST.
  2. At the bottom of the Components section, in the dropdown menu next to the clients, select Install clients, then click Confirm Add.
  3. Select Metron Client, then click Next.
    This will install the Metron client.
  4. Retrieve the Knox public key by running the following command on the Knox gateway host:
    openssl s_client -connect node1:8443 < /dev/null | openssl x509 | grep -v 'CERTIFICATE' | paste -sd "" -
    They Knox public key will be similar to the following:
    MIICMjCCAZugAwIBAgIJAPvF9X/Tm9+4MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ
     8wDQYDVQQKEwZIYWRvb3AxDTALBgNVBAsTBFRlc3QxDjAMBgNVBAMTBW5vZGUxMB4XDTE5MDEwMzIyMDExN1oXDTIwMDEwMzIyMDExN1owWzELMAkGA1UEBh
     MCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDEOMAwGA1UEAxMFbm9kZTEwgZ8wDQYJ
     KoZIhvcNAQEBBQADgY0AMIGJAoGBAJVkl8kYk2tPNJ9hlO+mSbgTAlkma7LGY4X/LtHqNd7PP161p9Hhty2HRpfZ5rUE2rIdlHpESSoo3Ifg38JrN745/yrw
     EGI0A5KhqOnNKw6Hk8mhoyoc8DDBVd3+nsGIJ5263rapOtyPWgxuj2gcd14utMvZOTGkHGkpr/FFRjUDAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAMyL+JHBfBIg2i
     AxmkOkH30iEVen1SgNqMoD4zApnA5z+ZVmL6cA72eV0BXjjY0YsxnVcAR4zqWYUDjZCNsAI4TtkXzlSZAhaVKzM+Ru+e+L5Lo22d5U5T5SqZMrubPx1dyyKe
     FMJPbG4ZGs5XbK+GAS3LDqBYEm5ZiEZ0E3RUT0=
  5. Copy the output of the command and paste it into the Ambari setting at Metron > Configs > Security > Knox SSO Public Key.
    Note
    Note
    Make sure that LDAP is enabled at the top of the Security tab window.
  6. Enable Knox, then click Save.
  7. Click the Restart menu to restart the Metron client, Metron REST, Metron Alerts UI, and Metron Management UI.
    After REST comes back up, Metron should be enabled for Knox.
When you launch a user interface, Knox searches for a valid token. If a valid token is not found, Knox redirects to the Knox SSO login form. Once a valid token is found, Knox redirects to the original url and forwards the request. Accessing the REST application through Knox also follows this pattern.