Ranger Ambari Installation
Also available as:
PDF

Configuring Ranger for LDAP SSL

Option 1: For Self-signed Certs in Your Own TrustStore

  1. Ensure that your LDAP cert was loaded into a trustStore.

    keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts
    
  2. Set the ranger.ldap.url property to ldaps://<host>:389.

  3. Set the ranger.usersync.truststore.file property to the java store: /etc/pki/java/cacerts.

  4. Restart Ranger from Ambari.

  5. When Ranger is restarted from Ambari, it does not attach the trustStore /etc/pki/java/cacerts in the Ranger java process. Therefore you must manually do a ranger-usersync stop, wait until all java processes have stopped, and then do a ranger-usersync start. This should use the self-signed cert correctly.

    cp /etc/pki/java/cacerts /usr/hdp/<current>/ranger-usersync/userSyncCAcerts
    keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /usr/hdp/2<current>/ranger-usersync/userSyncCAcerts

Option 2: For Self-signed Certs Using the Default Ranger UserSync TrustStore

  1. The default location is /usr/hdp/current/ranger-usersync/conf/mytruststore.jks for the ranger.usersync.truststore.file property.

  2. Alternatively, copy and edit the self-signed ca certs.

  3. Set the ranger.usersync.truststore.file property to that new cacert file.

    cd /usr/hdp/<version>/ranger-usersync 
    service ranger-usersync stop 
    service ranger-usersync start

    Where cert.pem has the the LDAPS cert.

Option 3: Using Certificate Authority Signed Cert in the Default Java Store

  1. It appears that the default Java keystore is no longer /etc/pk/java/cacerts but is instead ${JAVA_HOME}/jre/lib/security/cacerts.

  2. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts on all of your nodes, or at least on the NameNode, and Ranger Admin/Usersync nodes.

  3. You should not need to manually restart Ranger or perform any keytool imports.

  4. If necessary you can import the CA cert to ${JAVA_HOME}/jre/lib/security/cacerts. If you are using a self-signed cert you can use the keytool to import it into ${JAVA_HOME}/jre/lib/security/cacerts.

    Avoiding Manual Ranger Restarts

    You can use the following method to avoid manual Ranger restarts when the self-signed cert is not in ${JAVA_HOME}/jre/lib/security/cacerts.

    For Ranger Usersync:

    • Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

    • Add java option > -Djavax.net.ssl.trustStore=/<path to the cacert>

    For Ranger Admin:

    • Edit /usr/hdp/current/ranger-admin/ews/ranger-­admin-­services.sh

    • Add parameter -Djavax.net.ssl.trustStore=/<path to the cacert> to the Java call in the script.