Ranger Ambari Installation
Also available as:

Configuring Ranger for LDAP SSL

Import the LDAP Cert into the Default Java TrustStore

  1. If you are using a CA signed certificate for your LDAP authentication, the certificate should already be included in the default Java trustStore located at $JAVA_HOME/jre/lib/security/cacerts on all of your nodes, or at least on the NameNode and Ranger Admin/Usersync nodes.

  2. There is no need to manually restart Ranger or perform any keytool imports.

  3. If necessary you can import the CA cert to $JAVA_HOME/jre/lib/security/cacerts. If you are using a self-signed cert you can use the keytool to import it into $JAVA_HOME/jre/lib/security/cacerts.

Alternative Option

You can also use the following method when the self-signed cert is not in $JAVA_HOME/jre/lib/security/cacerts.

For Ranger Usersync:

  1. Edit /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh.

  2. Add java option > -Djavax.net.ssl.trustStore=/<path to the cacert>.

For Ranger Admin:

  1. Edit /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh.

  2. Add parameter -Djavax.net.ssl.trustStore=/<path to the cacert> to the Java call in the script.