Securing Credentials
Also available as:
PDF

Preparing for LDAPS integration

If you are using LDAPs, the certificate authority that signed the certificate for your LDAP server must be present in the truststore used by Ambari.

If the LDAP server has has a certificate signed by a "well known" CA, no further action is needed as the default Java truststore contains a list of public CAs. If you are using an organizational CA or self-signed certificate, there are two ways of meeting this requirement:

A) Tell Ambari to use a custom truststore that already contains the certificate of the CA that signed the LDAP host certificate. The ambari-server setup-ldap cli utility provides options that support secure and custom truststores, but the custom truststore must be created in advance and available for Ambari to use. The ambari-server setup-ldap cli utility provides options that support secure and custom truststores, but the custom truststore must be created in advance and available for Ambari to use.

B) Import the public certificate of the CA that signed the LDAP host certificate into the default Java truststore. ($JAVA_HOME/jre/lib/security/cacerts) This option may be less secure if the LDAP server uses a self-signed certificate that will become a trusted CA by all processes running on the Ambari host. In addition, since the default Java truststore is tied to the specific version of Java, updating the Java version will require the CA cert to be reconfigured into the newer Java's truststore.

Note
Note

The truststore information is still stored in the ambari.properties file, and not the ambari database along with the remaining LDAP settings. Configuring a custom truststore of modifying the existing truststore requires a restart of the Ambari server, for the settings to take effect.

Obtain the public certificate of the CA that signed the LDAP server certificate, and choose one of the paths below depending on your truststore management strategy.

Path A - Use a Custom Truststore
  • If you are using Active Directory as your LDAP provider, obtain the public certificate of the CA that signed the AD certificate and create a new truststore to import the CA cert (or the ldap host if self-signed) into.

    If necessary, convert the SSL certificate to X.509 format:

    openssl x509 -in ad-ca.pem -out ad-ca.crt
     
    $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file 
    $PATH_TO_YOUR_LDAPS_CERT -keystore /etc/security/ldaps-truststore.jks
    

    when prompted, enter a password. you will use this during setup.

  • If you are using FreeIPA as your LDAP provider and have registered the ipa-client on the Ambari host with the same IPA instance, a preconfigured truststore that contains the “well-known” CAs alongside IPA’s CA public cert should exist in /etc/pki/java/cacerts You can verify this by listing the contents of this file.
    $JAVA_HOME/bin/keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | 
    grep ipaca

Path B - Import to default Java truststore

You can Import an SSL certificate to the existing keystore, such as the default jre certificates store, by typing the following command after setting your JAVA_HOME:

If necessary, convert the SSL certificate to X.509 format:

openssl x509 -in slapd.pem -out slapd.crt 

$JAVA_HOME/bin/keytool -import -trustcacerts -file slapd.crt -keystore
$JAVA_HOME/jre/lib/security/cacerts
Note
Note
Be sure to restart Ambari server to have it pick up the modified truststore.
  1. On the Ambari Server host, run ambari-server setup-ldap and respond to each prompt.
  2. If you set Use SSL* = true, the following prompt appears: Do you want to provide custom TrustStore for Ambari?:
  3. If you are using IPA and have installed the ipa-client and registered the Ambari host with IPA, type y.
    When you select this option, enter:
    • At the TrustStore type prompt, enter jks.
    • At the Path to TrustStore file prompt, enter /etc/pki/java/cacerts
    • At the Password for TrustStore prompt, type changeit, unless you changed it, in which case you should provide the current password.
  4. If you AD/LDAP and have precreated a custom truststore using the steps above, type y.
    When you select this option, enter:
    • At the TrustStore type prompt, enter jks.

    • At the Path to TrustStore file> prompt, enter /etc/security/ldaps-truststore.jks.

    At the Password for TrustStore prompt, type the password that you defined for the keystore.
  5. Review your settings and if they are correct, select y.
  6. Start or restart the Ambari server.
    ambari-server restart