Enabling SSL for Ranger KMS
If you do not have access to Public CA-issued certificates, complete the following steps to create and configure self-signed certificates.
Note | |
---|---|
The following examples contain sample values (folder locations, passwords, and filenames). Change these values according to your environment. |
Considerations:
Copy
keystore/truststore
files into a different location (e.g./etc/security/serverKeys
) than the/etc/<component>/conf
folders.Make sure JKS file names are different from each other.
Make sure correct permissions are applied.
Make sure all passwords are secured.
For the test connection to be successful after enabling SSL, self-signed certificates should be imported to the Ranger admin’s trust store (typically JDK
cacerts
).Property
ranger.plugin.service.policy.rest.ssl.config.file
should be verified; for example:ranger.plugin.kms.policy.rest.ssl.config.file
==>/etc/ranger/kms/conf/ranger-policymgr-ssl.xml
To enable SSL:
Stop the Ranger KMS service:
Go to the Ranger KMS (and plugin) installation location, and create a self-signed certificate:
cd /etc/ranger/kms/conf/
keytool -genkey -keyalg RSA -alias rangerKMSAgent -keystore <ranger-kms-ks> -storepass myKeyFilePassword -validity 360 -keysize 2048
chown kms:kms <ranger-kms-ks>
chmod 400 <ranger-kms-ks>
where
<ranger-kms-ks>
is the name of the Ranger KMS keystore (for example,ranger-plugin-keystore.jks
)Provide an identifiable string in response to the question "What is your first and last name?"
Important: In case multiple servers need to communicate with Ranger admin for downloading policies for the same service/repository, make sure to use the repo name or a common string across all nodes. Remember exactly what you entered, because this value will be required for the Common Name for Certificate field on the edit repository page in the policy manager UI.
To create the keystore, provide answers to the subsequent questions. Note: Press enter when prompted for a password.
Create a truststore for the Ranger KMS plugin, and add the public key of admin as a trusted entry into the truststore:
cd /etc/ranger/kms/conf/
keytool -export -keystore <ranger-admin-ks> -alias rangeradmin -file <cert-filename>
keytool -import -file <cert-filename> -alias rangeradmintrust -keystore <ranger-kms-ts> -storepass changeit
chown kms:kms <ranger-kms-ts>
chmod 400 <ranger-kms-ts>
where
<ranger-admin-ks>
is the location of the Ranger Admin keystore (for example,/etc/ranger/admin/conf/ranger-admin-keystore.jks
)<ranger-kms-ts>
is the name of the Ranger KMS plugin trustore (for example,ranger-plugin-truststore.jks
)<cert-filename>
is the name of the Ranger Admin certificate file (for example,ranger-admin-trust.cer
)Note: Press enter when prompted for a password.
Change the policy manager URL to point to HTTPS, and specify the keystore & truststore in
ews/webapp/WEB-INF/classes/conf/ranger-policymgr-ssl.xml
.In
xasecure.policymgr.clientssl.keystore
, provide the location for the keystore that you created in the previous step.In
xasecure.policymgr.clientssl.keystore.password
, provide the password for the keystore (myKeyFilePassword).In
xasecure.policymgr.clientssl.truststore
, provide the location for the truststore that you created in the previous step.In
xasecure.policymgr.clientssl.truststore.password
, provide the password for the truststore (changeit).
Add the plugin's self-signed cert into Admin's trustedCACerts:
cd /etc/ranger/admin/conf
keytool -export -keystore <ranger-kms-ks> -alias rangerKMSAgent -file <cert-filename> -storepass myKeyFilePassword
keytool -import -file <cert-filename> -alias rangerkmsAgentTrust -keystore <ranger-admin-ts> -storepass changeit
where
<ranger-kms-ks>
is the path to the Ranger KMS keystore (for example,/etc/ranger/kms/conf/ranger-plugin-keystore.jks
)<cert-filename>
is the name of the certificate file (for example,ranger-kmsAgent-trust.cer
)<ranger-admin-ts>
is the name of the Ranger Admin truststore file (for example, the JDK cacerts file)Log into the Policy Manager UI (as
keyadmin
user) and click on the Edit button of your KMS repository. Provide the CN name of the keystore for Common Name For Certificate (commonNameForCertificate
), and save it. This property is not added by default.
Configuring the Ranger KMS Server
Go to the Ranger KMS config location and create a self-signed certificate:
cd /etc/ranger/kms/conf
keytool -genkey -keyalg RSA -alias rangerkms -keystore <ranger-kms-ks> -storepass rangerkms -validity 360 -keysize 2048
chown kms:kms ranger-kms-keystore.jks
chmod 400 ranger-kms-keystore.jks
where
<ranger-kms-ks>
is the name of the Ranger KMS keystore (for example,ranger-plugin-keystore.jks
)Provide an identifiable string in response to the question "What is your first and last name?" To create the keystore, provide answers to all subsequent questions to create the keystore Note: Press enter when prompted for a password.
Add the following properties and values to the Custom ranger-kms-site list:
Update the value of
kms_port
(in Advanced kms_env) to theranger.service.https.port
value.Save your changes and start Ranger KMS.
In your browser (or from Curl) when you access the Ranger KMS UI using the HTTPS protocol on the
ranger.service.https.port
listed in Ambari, the browser should respond that it does not trust the site. Proceed, and you should be able to access Ranger KMS on HTTPS with the self-signed cert that you just created.Export the Ranger KMS certificate:
cd /usr/hdp/<version>/ranger-kms/conf
keytool -export -keystore <ranger-kms-ks> -alias rangerkms -file <cert-filename>
where
<ranger-kms-ks>
is the name of the Ranger KMS keystore (for example,ranger-kms-keystore.jks
)<cert-filename>
is the name of the certificate file (for example,ranger-kms-trust.cer
)Import the Ranger KMS certificate into the Ranger admin truststore:
keytool -import -file <cert-filename> -alias rangerkms -keystore <ranger-admin-ts> -storepass changeit
where
<cert-filename>
is the name of the certificate file (for example,ranger-kms-trust.cer
)<ranger-admin-ts>
is the name of the Ranger Admin truststore file (for example, JDK cacerts)Note Make sure Ranger Admin’s truststore properties (
ranger.truststore.file
andranger.truststore.password
) are correctly configured inranger-admin-site.xml
.Import the Ranger KMS certificate into the Hadoop client truststore:
keytool -import -file <cert-filename> -alias rangerkms -keystore <ts-filename> -storepass bigdata
where
<cert-filename>
is the name of the certificate file (for example,ranger-kms-trust.cer
)<ts-filename>
is the name of Hadoop client truststore file (for example,/etc/security/clientKeys/all.jks
)Restart Ranger Admin and Ranger KMS.
Now in the Policy Manager UI, Audit --> Plugin tab, you should see an entry for your service name with HTTP Response Code = 200.