Security
Also available as:
PDF
loading table of contents...

Enable SSL for Apache Atlas

This section describes how to enable SSL for Apache Atlas on an Ambari cluster.

Configuring Apache Atlas SSL

Both one-way (server authentication) and two-way (server and client authentication) SSL are supported. To enable Apache Atlas SSL, select Atlas > Configs > Advanced, then select Advanced application-properties and set the following properties:

Table 4.4. Atlas Advanced application-properties

PropertyValueDescription
atlas.enableTLStrueEnable or disable the SSL listener. Set this value to true to enable SSL (default value is false).

You can also set the following properties by selecting Custom application-properties > Add Property.

Table 4.5. Atlas Advanced application-properties

PropertyValueDescription
keystore.file<path_to_keystore_file>The path to the keystore file leveraged by the server. This file contains the server certificate.
truststore.file<path_to_trustore_file>The path to the truststore file. This file contains the certificates of other trusted entities (e.g. the certificates for client processes if two-way SSL is enabled). In most instances this can be set to the same value as the keystore.file property (especially if one-way SSL is enabled).
client.auth.enabledtrue|falseEnable/disable client authentication (disabled by default). If enabled, the client must authenticate to the server during the transport session key creation process (i.e. two-way SSL is in effect).
cert.stores.credential.provider.path<path_to_credential_provider_store_file>The path to the Credential Provider store file. The passwords for the keystore, truststore, and server certificate are maintained in this secure file. Utilize the cputil script in the 'bin' directory (see below) to populate this file with the passwords required.
atlas.ssl.exclude.cipher.suites

Example value:

*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*

The excluded Cipher Suites list - NULL.,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are excluded by default. If additional Ciphers need to be excluded, set this property with the default Cipher Suites such as *NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*, and add the additional Cipher Suites to the list with a comma separator. They can be added with their full name or a regular expression. The Cipher Suites listed in the atlas.ssl.exclude.cipher.suites property take precedence over the default Cipher Suites. You should retain the default Cipher Suites, and add additional ones to increase security.

[Important]Important

Enabling or disabling HTTPS will not automatically reconfigure the atlas.rest.address property. To update this property, select Atlas > Configs > Advanced, then select Advanced application-properties. Change the URL strings in the atlas.rest.address property to "https" if SSL is enabled (if the atlas.enableTLS property is set to true) "https". If SSL is not enabled, use "http". For example:

  • http:<server_one>:21000,http:<server_two>:21000,http:<server_three>:21000

  • https:<server_one>:21443,https:<server_two>:21443,https:<server_three>:21443

The default HTTP port is 21000 and the default HTTPS port is 21443. These values can be overridden using the atlas.server.http.port and atlas.server.https.port properties, respectively.

After manually editing these settings, select Actions > Stop All on the Ambari dashboard to stop all services, then select Actions > Start All to restart all services.

Credential Provider Utility Script

In order to prevent the use of clear-text passwords, the Atlas platform uses the Credential Provider facility for secure password storage (see the Hadoop Credential Command Reference for more information about this facility). The cputil script can be used to create the required password store.

To create the credential provider for Atlas:

  1. Use the following command to switch to the Atlas bin directory:

    cd /usr/hdp/current/atlas-server/bin
  2. Run the following command:

    ./cputil.py

  3. When prompted, enter the path for the generated credential provider. The format for the path is:

    /local/file/path/file.jceks

    Only one absolute path is allowed. The credential provider files generally use the .jceks extension.

  4. When prompted, enter the passwords for the keystore, truststore, and server key (these passwords must match the passwords used when actually creating the associated certificate store files).

  5. The credential provider is generated and saved to the specified path.