Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Self-Signed Certificate with Specific Hostname for Evaluations

In order to continue to use self-signed certificates for larger evaluation deployments, a certificate can be generated for a specific hostname. This will allow clients to properly verify the hostname presented in the certificate as the host that they requested in the request URL.

To create a self-signed certificate:

  1. Create a certificate: where $gateway-hostname is the FQDN of the Knox Gateway.

    cd $gateway bin/knoxcli.cmd create-cert --hostname $gateway-hostname
  2. Export the certificate in PEM format:

    keytool -export -alias gateway-identity -rfc -file $certificate_path -keystore $gateway /data/security/keystores/gateway.jks
    [Note]Note

    cURL option accepts certificates in PEM format only.

  3. Restart the gateway:

    cd $gateway bin/gateway.sh stop bin/gateway.sh start
  4. After copying the certificate to a client, use the following command to verify:

    curl --cacert $certificate_path -u $username : $password https:// $gateway-hostname : $gateway_port /gateway/ $cluster_name /webhdfs/v1?op=GETHOMEDIRECTORY