Setting up Knox SSO for Ambari
This section describes how to configure Ambari to use Knox SSO (Single Sign-on) to authenticate users. With this configuration, unauthenticated users who try to access Ambari are redirected to the Knox SSO login page for authentication.
Use the following steps to configure Knox SSO for Ambari:
Log in as the root user
Run the following CLI command to export the Knox certificate:
JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file <cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
When prompted, enter the Knox master password.
Note the location where you save the
cert.pem
file. You will use the content of this file.
Run the following command:
ambari-server setup-sso
When prompted, enter
y
.For the provider URL, enter:
https://
.<hostname>
:8443/gateway/knoxsso/api/v1/webssoWhen prompted to enter
Public Certificate pem
, copy paste the content of thecert.pem
file, excluding the-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
lines.When prompted to configure advanced properties, enter
n
.Leave
JWT Cookie name (hadoop-jwt)
andJWT audiences list
empty.The prompt returns
Ambari Server 'setup-sso' completed successfully.
Restart the Ambari Server:
ambari-server restart
.
Example 2.5. Example Knox SSO for Ambari
ambari-server setup-sso Setting up SSO authentication properties... Do you want to configure SSO authentication [y/n] (y)?y Provider URL [URL] (http://example.com):https://c6402.ambari.apache.org:8443/gateway/knoxsso/api/v1/websso Public Certificate pem (empty) (empty line to finish input): MIICYTCCAcqgAwIBAgIIHd3j94bX9IMwDQYJKoZIhvcNAQEFBQAwczELMAkGA1UEBhMCVVMxDTAL BgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVz dDEmMCQGA1UEAxMda25veHNzby1za29uZXJ1LTItMi5ub3ZhbG9jYWwwHhcNMTYwMzAxMTEzMTQ0 WhcNMTcwMzAxMTEzMTQ0WjBzMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxME VGVzdDEPMA0GA1UEChMGSGFkb29wMQ0wCwYDVQQLEwRUZXN0MSYwJAYDVQQDEx1rbm94c3NvLXNr b25lcnUtMi0yLm5vdmFsb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlV0Jtd8zmzVZ UZRbqxXvK9MV5OYIOWTX9/FMthwr99eClHp3JdZ1x3utYr9nwdZ6fjZaUIihzu8a8SGoipbW2ZVU TShGZ/5VKtu96YcSAoB3VTyc3WWRDGERRs7aKAlEqnURDkQz7KRs2tvItJpBBjrTXZpHKFTOecL4 hCkaalUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAqvPfl4fivozd+4QI4ZBohFHHvf1z4Y7+DxlY7 iNAnjnau4W3wgwTt6CQ1B9fSx3zVTlhu2PfDJwvumBbuKuth/M+KXpG28AbKIojrL2Odlv+cftrJ YeJC6Qjee+5Pf2P9G2wd9fahWF+aQpr50YlMZSU+VMiTO2a2FSAXvOdjvA== Do you want to configure advanced properties [y/n] (n) ?y JWT Cookie name (hadoop-jwt): JWT audiences list (comma-separated), empty for any (): Ambari Server 'setup-sso' completed successfully. ambari-server restart