Configuring Apache Atlas SSL
Use the following steps to enable Apache Atlas SSL. Both one-way (server authentication) and two-way (server and client authentication) SSL are supported.
-
Create a keystore file:
cd /usr/jdk64/jdk1.8.0_112/bin/ keytool -genkey -alias serverkey -keypass <keypass> -keyalg RSA -sigalg SHA1withRSA -keystore atlas.keystore -storepass <keypass> -validity 3650 -dname "CN=Nicola Marangoni, OU=PS, O=Hortonworks, L=Munich, ST=BY, C=DE"
-
Create a .jceks file:
cd /usr/hdp/current/atlas-server/bin ./cputil.py Please enter the full path to the credential provider:jceks://file/home/atlas/test.jceks 0 [main] WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Please enter the password value for keystore.password:<keypass> Please enter the password value for keystore.password again:<keypass> Please enter the password value for truststore.password:<keypass> Please enter the password value for truststore.password again:<keypass> Please enter the password value for password:<keypass> Please enter the password value for password again:<keypass> cp /root/atlas.keystore /home/atlas/ cd /home/atlas
-
Assign 440 rights to both of these files, and make atlas:hadoop owners for these
files (so that Atlas can read these files):
chmod 440 atlas.keystore test.jceks
. -
Select Atlas > Configs > Advanced, then select Advanced application-properties and set the
following properties:
Table 1. Atlas Advanced application-properties Property Value Description atlas.enableTLS true Enable or disable the SSL listener. Set this value to true
to enable SSL (default value isfalse
).Add the following properties by selecting Custom application-properties > Add Property.
Table 2. Atlas Custom application-properties Property Value Description keystore.file /home/atlas/atlas.keystore The path to the keystore file leveraged by the server. This file contains the server certificate. truststore.file /home/atlas/atlas.keystore The path to the truststore file. This file contains the certificates of other trusted entities (e.g. the certificates for client processes if two-way SSL is enabled). In most instances this can be set to the same value as the keystore.file property (especially if one-way SSL is enabled). client.auth.enabled true Enable/disable client authentication (disabled by default). If enabled, the client must authenticate to the server during the transport session key creation process (i.e. two-way SSL is in effect). cert.stores.credential.provider.path jceks://file//home/atlas/test.jceks The path to the Credential Provider store file. The passwords for the keystore, truststore, and server certificate are maintained in this secure file. Utilize the cputil script in the 'bin' directory (see below) to populate this file with the passwords required. atlas.ssl.exclude.cipher.suites .*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*
The excluded Cipher Suites list - .*NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are excluded by default. If additional Ciphers need to be excluded, set this property with the default Cipher Suites such as .*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*, and add the additional Cipher Suites to the list with a comma separator. They can be added with their full name or a regular expression. The Cipher Suites listed in the atlas.ssl.exclude.cipher.suites
property take precedence over the default Cipher Suites. You should retain the default Cipher Suites, and add additional ones to increase security.NoteEnabling or disabling HTTPS will not automatically reconfigure theatlas.rest.address
property. To update this property, select Atlas > Configs > Advanced, then select Advanced application-properties. Change the URL strings in theatlas.rest.address
property to "https" if SSL is enabled (if theatlas.enableTLS
property is set totrue
) "https". If SSL is not enabled, use "http". For example:http:<server_one>:21000,http:<server_two>:21000,http:<server_three>:21000 https:<server_one>:21443,https:<server_two>:21443,https:<server_three>:21443
The default HTTP port is 21000 and the default HTTPS port is 21443. These values can be overridden using the
atlas.server.http.port
andatlas.server.https.port properties
, respectively. - After manually editing these settings, select Actions > Stop All on the Ambari dashboard to stop all services, then select Actions > Start All to restart all services.
Note | |
---|---|
If you disable Atlas SSL, you must clear your browser cookies in order to log in to the Atlas UI using HTTP request headers. |