Security
Also available as:
PDF
loading table of contents...

Enable SSL for Apache Atlas

This section describes how to enable SSL for Apache Atlas on an Ambari cluster.

Configuring Apache Atlas SSL

Both one-way (server authentication) and two-way (server and client authentication) SSL are supported. Use the following steps to enable Apache Atlas SSL:

  1. Create a keystore file:

    cd /usr/jdk64/jdk1.8.0_112/bin/
    keytool -genkey -alias serverkey -keypass <keypass> -keyalg RSA -sigalg SHA1withRSA -keystore atlas.keystore -storepass <keypass> -validity 3650 -dname "CN=Nicola Marangoni, OU=PS, O=Hortonworks, L=Munich, ST=BY, C=DE"
  2. Create a .jceks file:

    cd /usr/hdp/current/atlas-server/bin
    ./cputil.py
    Please enter the full path to the credential provider:jceks://file/home/atlas/test.jceks
    0    [main] WARN  org.apache.hadoop.util.NativeCodeLoader  - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
    Please enter the password value for keystore.password:<keypass>
    Please enter the password value for keystore.password again:<keypass>
    Please enter the password value for truststore.password:<keypass>
    Please enter the password value for truststore.password again:<keypass>
    Please enter the password value for password:<keypass>
    Please enter the password value for password again:<keypass>
    cp /root/atlas.keystore /home/atlas/
    cd /home/atlas
  3. Assign 440 rights to both of these files, and make atlas:hadoop owners for these files (so that Atlas can read these files):

    chmod 440 atlas.keystore test.jceks
  4. Select Atlas > Configs > Advanced, then select Advanced application-properties and set the following properties:

    Table 4.4. Atlas Advanced application-properties

    PropertyValueDescription
    atlas.enableTLStrueEnable or disable the SSL listener. Set this value to true to enable SSL (default value is false).

    Add the following properties by selecting Custom application-properties > Add Property.

    Table 4.5. Atlas Custom application-properties

    PropertyValueDescription
    keystore.file/home/atlas/atlas.keystoreThe path to the keystore file leveraged by the server. This file contains the server certificate.
    truststore.file/home/atlas/atlas.keystoreThe path to the truststore file. This file contains the certificates of other trusted entities (e.g. the certificates for client processes if two-way SSL is enabled). In most instances this can be set to the same value as the keystore.file property (especially if one-way SSL is enabled).
    client.auth.enabledtrueEnable/disable client authentication (disabled by default). If enabled, the client must authenticate to the server during the transport session key creation process (i.e. two-way SSL is in effect).
    cert.stores.credential.provider.pathjceks://file//home/atlas/test.jceksThe path to the Credential Provider store file. The passwords for the keystore, truststore, and server certificate are maintained in this secure file. Utilize the cputil script in the 'bin' directory (see below) to populate this file with the passwords required.
    atlas.ssl.exclude.cipher.suites

    *NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*

    The excluded Cipher Suites list - NULL.,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are excluded by default. If additional Ciphers need to be excluded, set this property with the default Cipher Suites such as *NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*, and add the additional Cipher Suites to the list with a comma separator. They can be added with their full name or a regular expression. The Cipher Suites listed in the atlas.ssl.exclude.cipher.suites property take precedence over the default Cipher Suites. You should retain the default Cipher Suites, and add additional ones to increase security.

    [Important]Important

    Enabling or disabling HTTPS will not automatically reconfigure the atlas.rest.address property. To update this property, select Atlas > Configs > Advanced, then select Advanced application-properties. Change the URL strings in the atlas.rest.address property to "https" if SSL is enabled (if the atlas.enableTLS property is set to true) "https". If SSL is not enabled, use "http". For example:

    • http:<server_one>:21000,http:<server_two>:21000,http:<server_three>:21000

    • https:<server_one>:21443,https:<server_two>:21443,https:<server_three>:21443

    The default HTTP port is 21000 and the default HTTPS port is 21443. These values can be overridden using the atlas.server.http.port and atlas.server.https.port properties, respectively.

  5. [Important]Important

    After manually editing these settings, select Actions > Stop All on the Ambari dashboard to stop all services, then select Actions > Start All to restart all services.

[Note]Note

If you disable Atlas SSL, you must clear your browser cookies in order to log in to the Atlas UI using HTTP request headers.

Credential Provider Utility Script

In order to prevent the use of clear-text passwords, the Atlas platform uses the Credential Provider facility for secure password storage (see the Hadoop Credential Command Reference for more information about this facility). The cputil script can be used to create the required password store.

To create the credential provider for Atlas:

  1. Use the following command to switch to the Atlas bin directory:

    cd /usr/hdp/current/atlas-server/bin
  2. Run the following command:

    ./cputil.py

  3. When prompted, enter the path for the generated credential provider. The format for the path is:

    /local/file/path/file.jceks

    Only one absolute path is allowed. The credential provider files generally use the .jceks extension.

  4. When prompted, enter the passwords for the keystore, truststore, and server key (these passwords must match the passwords used when actually creating the associated certificate store files).

  5. The credential provider is generated and saved to the specified path.