Self-Signed Certificate with Specific Hostname for Evaluations
In order to continue to use self-signed certificates for larger evaluation deployments, a certificate can be generated for a specific hostname. This will allow clients to properly verify the hostname presented in the certificate as the host that they requested in the request URL.
To create a self-signed certificate:
Create a certificate: where
$gateway-hostname
is the FQDN of the Knox Gateway.cd $gateway bin/knoxcli.cmd create-cert --hostname $gateway-hostname
Export the certificate in PEM format:
keytool -export -alias gateway-identity -rfc -file $certificate_path -keystore $gateway /data/security/keystores/gateway.jks
Note cURL option accepts certificates in PEM format only.
Restart the gateway:
cd $gateway bin/gateway.sh stop bin/gateway.sh start
After copying the certificate to a client, use the following command to verify:
curl --cacert $certificate_path -u $username : $password https:// $gateway-hostname : $gateway_port /gateway/ $cluster_name /webhdfs/v1?op=GETHOMEDIRECTORY