Enable SSL for Apache Atlas
This section describes how to enable SSL for Apache Atlas on an Ambari cluster.
Configuring Apache Atlas SSL
Both one-way (server authentication) and two-way (server and client authentication) SSL are supported. To enable Apache Atlas SSL, select Atlas > Configs > Advanced, then select Advanced application-properties and set the following properties:
Table 4.4. Atlas Advanced application-properties
Property | Value | Description |
---|---|---|
atlas.enableTLS | true | Enable or disable the SSL listener. Set this value to
true to enable SSL (default value is
false ). |
You can also set the following properties by selecting Custom application-properties > Add Property.
Table 4.5. Atlas Advanced application-properties
Property | Value | Description |
---|---|---|
keystore.file | <path_to_keystore_file> | The path to the keystore file leveraged by the server. This file contains the server certificate. |
truststore.file | <path_to_trustore_file> | The path to the truststore file. This file contains the certificates of other trusted entities (e.g. the certificates for client processes if two-way SSL is enabled). In most instances this can be set to the same value as the keystore.file property (especially if one-way SSL is enabled). |
client.auth.enabled | true|false | Enable/disable client authentication (disabled by default). If enabled, the client must authenticate to the server during the transport session key creation process (i.e. two-way SSL is in effect). |
cert.stores.credential.provider.path | <path_to_credential_provider_store_file> | The path to the Credential Provider store file. The passwords for the keystore, truststore, and server certificate are maintained in this secure file. Utilize the cputil script in the 'bin' directory (see below) to populate this file with the passwords required. |
atlas.ssl.exclude.cipher.suites |
Example value: *NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.* | The excluded Cipher Suites list - NULL.,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak
and unsafe Cipher Suites that are excluded by default. If
additional Ciphers need to be excluded, set this property with
the default Cipher Suites such as *NULL.*, .*RC4.*, .*MD5.*,
.*DES.*, .*DSS.*, and add the additional Cipher Suites to the
list with a comma separator. They can be added with their full
name or a regular expression. The Cipher Suites listed in the
atlas.ssl.exclude.cipher.suites property take
precedence over the default Cipher Suites. You should retain the
default Cipher Suites, and add additional ones to increase
security. |
Important | |
---|---|
Enabling or disabling HTTPS will not
automatically reconfigure the
The default HTTP port is 21000 and the default HTTPS port is 21443. These
values can be overridden using the After manually editing these settings, select Actions > Stop All on the Ambari dashboard to stop all services, then select Actions > Start All to restart all services. |
Credential Provider Utility Script
In order to prevent the use of clear-text passwords, the Atlas platform uses the
Credential Provider facility for secure password storage (see the Hadoop Credential Command Reference for more information about this
facility). The cputil
script can be used to create the required
password store.
To create the credential provider for Atlas:
Use the following command to switch to the Atlas bin directory:
cd /usr/hdp/current/atlas-server/bin
Run the following command:
./cputil.py
When prompted, enter the path for the generated credential provider. The format for the path is:
/local/file/path/file.jceks
Only one absolute path is allowed. The credential provider files generally use the
.jceks
extension.When prompted, enter the passwords for the keystore, truststore, and server key (these passwords must match the passwords used when actually creating the associated certificate store files).
The credential provider is generated and saved to the specified path.