Setting up Knox SSO for Ranger

This section describes how to configure Ranger to use Knox SSO (Single Sign-on) to authenticate users on an Ambari cluster. With this configuration, unauthenticated users who try to access Ranger are redirected to the Knox SSO login page for authentication.

	Note
	Knox SSO is only applied to web UI users. Internal Ranger users have the option to bypass Knox SSO and log in to the Ranger UI directly using the "locallogin" URL: `http://<ranger_host>:6080/locallogin`.

Use the following steps to configure Knox SSO for Ranger:

Install Ambari with HDP-2.5 or higher. Install Knox along with the other services.
Install Ranger using Ambari.
The Knox SSO topology settings are preconfigured in Knox > Configs > Advanced knoxsso-topology.
Run the following CLI command to export the Knox certificate:
```
JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file <cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
```
- When prompted, enter the Knox master password.
- Note the location where you save the cert.pem file.
Select Ranger > Configs > Advanced > Knox SSO Settings and set the following properties:
- Enable Ranger SSO – Select this check box to enable Ranger SSO.
- SSO provider url – https://<knox_host>:8443/gateway/knoxsso/api/v1/websso
- SSO public key – Paste in the contents of the cert.pem certificate file exported from Knox.
  When you paste the contents, exclude the header and footer.
- SSO browser useragent – Preconfigured with Mozilla,chrome.
Click Save to save the new configuration, then click through the confirmation pop-ups.
Restart Ranger. Select Actions > Restart All Required to restart all other services that require a restart.
Knox SSO should now be enabled. Users who try to access Ranger are redirected to the Knox SSO login page for authentication.

​Setting up Knox SSO for Ranger

Setting up Knox SSO for Ranger