Preparing for LDAPS integration
If you are using LDAPs, the certificate authority that signed the certificate for your LDAP server must be present in the truststore used by Ambari.
If the LDAP server has has a certificate signed by a "well known" CA, no further action is needed as the default Java truststore contains a list of public CAs. If you are using an organizational CA or self-signed certificate, there are two ways of meeting this requirement:
A) Tell Ambari to use a custom truststore that already contains the certificate of
the CA that signed the LDAP host certificate. The ambari-server setup-ldap cli
utility provides options that support secure and custom truststores, but the custom
truststore must be created in advance and available for Ambari to use. The
ambari-server setup-ldap
cli utility provides options that support
secure and custom truststores, but the custom truststore must be created in advance and
available for Ambari to use.
B) Import the public certificate of the CA that signed the LDAP host certificate into
the default Java truststore.
($JAVA_HOME/jre/lib/security/cacerts)
This option may be less secure if the
LDAP server uses a self-signed certificate that will become a trusted CA by all
processes running on the Ambari host. In addition, since the default Java truststore is
tied to the specific version of Java, updating the Java version will require the CA cert
to be reconfigured into the newer Java's truststore.
Note | |
---|---|
The truststore information is still stored in the ambari.properties file, and not the ambari database along with the remaining LDAP settings. Configuring a custom truststore of modifying the existing truststore requires a restart of the Ambari server, for the settings to take effect. |
Obtain the public certificate of the CA that signed the LDAP server certificate, and choose one of the paths below depending on your truststore management strategy.
If you are using Active Directory as your LDAP provider, obtain the public certificate of the CA that signed the AD certificate and create a new truststore to import the CA cert (or the ldap host if self-signed) into.
If necessary, convert the SSL certificate to X.509 format:
openssl x509 -in ad-ca.pem -out ad-ca.crt $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /etc/security/ldaps-truststore.jks
when prompted, enter a password. you will use this during setup.
- If you are using FreeIPA as your LDAP provider and have registered the ipa-client on
the Ambari host with the same IPA instance, a preconfigured truststore that
contains the “well-known” CAs alongside IPA’s CA public cert should exist in
/etc/pki/java/cacerts You can verify this by listing the
contents of this file.
$JAVA_HOME/bin/keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep ipaca
Path B - Import to default Java truststore
You can Import an SSL certificate to the existing keystore, such as the default jre certificates store, by typing the following command after setting your JAVA_HOME:
If necessary, convert the SSL certificate to X.509 format:
openssl x509 -in slapd.pem -out slapd.crt
$JAVA_HOME/bin/keytool -import -trustcacerts -file slapd.crt -keystore
$JAVA_HOME/jre/lib/security/cacerts
Note | |
---|---|
Be sure to restart Ambari server to have it pick up the modified
truststore. |