Configuring Wire Encryption
Also available as:
PDF
loading table of contents...

Configuring Apache Atlas SSL

Use the following steps to enable Apache Atlas SSL. Both one-way (server authentication) and two-way (server and client authentication) SSL are supported.

  1. Create a keystore file:
    cd /usr/jdk64/jdk1.8.0_112/bin/
    keytool -genkey -alias serverkey -keypass <keypass> -keyalg RSA -sigalg SHA1withRSA -keystore atlas.keystore -storepass <keypass> -validity 3650 -dname "CN=Nicola Marangoni, OU=PS, O=Hortonworks, L=Munich, ST=BY, C=DE"
  2. Create a .jceks file:
    cd /usr/hdp/current/atlas-server/bin
    ./cputil.py
    Please enter the full path to the credential provider:jceks://file/home/atlas/test.jceks
    0    [main] WARN  org.apache.hadoop.util.NativeCodeLoader  - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
    Please enter the password value for keystore.password:<keypass>
    Please enter the password value for keystore.password again:<keypass>
    Please enter the password value for truststore.password:<keypass>
    Please enter the password value for truststore.password again:<keypass>
    Please enter the password value for password:<keypass>
    Please enter the password value for password again:<keypass>
    cp /root/atlas.keystore /home/atlas/
    cd /home/atlas
  3. Assign 440 rights to both of these files, and make atlas:hadoop owners for these files (so that Atlas can read these files):chmod 440 atlas.keystore test.jceks.
  4. Select Atlas > Configs > Advanced, then select Advanced application-properties and set the following properties:
    Table 1. Atlas Advanced application-properties
    Property Value Description
    atlas.enableTLS true Enable or disable the SSL listener. Set this value to true to enable SSL (default value is false).

    Add the following properties by selecting Custom application-properties > Add Property.

    Table 2. Atlas Custom application-properties
    Property Value Description
    keystore.file /home/atlas/atlas.keystore The path to the keystore file leveraged by the server. This file contains the server certificate.
    truststore.file /home/atlas/atlas.keystore The path to the truststore file. This file contains the certificates of other trusted entities (e.g. the certificates for client processes if two-way SSL is enabled). In most instances this can be set to the same value as the keystore.file property (especially if one-way SSL is enabled).
    client.auth.enabled true Enable/disable client authentication (disabled by default). If enabled, the client must authenticate to the server during the transport session key creation process (i.e. two-way SSL is in effect).
    cert.stores.credential.provider.path jceks://file//home/atlas/test.jceks The path to the Credential Provider store file. The passwords for the keystore, truststore, and server certificate are maintained in this secure file. Utilize the cputil script in the 'bin' directory (see below) to populate this file with the passwords required.
    atlas.ssl.exclude.cipher.suites

    .*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*

    The excluded Cipher Suites list - .*NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are excluded by default. If additional Ciphers need to be excluded, set this property with the default Cipher Suites such as .*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*, and add the additional Cipher Suites to the list with a comma separator. They can be added with their full name or a regular expression. The Cipher Suites listed in the atlas.ssl.exclude.cipher.suites property take precedence over the default Cipher Suites. You should retain the default Cipher Suites, and add additional ones to increase security.
    Note
    Note
    Enabling or disabling HTTPS will not automatically reconfigure the atlas.rest.address property. To update this property, select Atlas > Configs > Advanced, then select Advanced application-properties. Change the URL strings in the atlas.rest.address property to "https" if SSL is enabled (if the atlas.enableTLS property is set to true) "https". If SSL is not enabled, use "http". For example:
    http:<server_one>:21000,http:<server_two>:21000,http:<server_three>:21000 
    https:<server_one>:21443,https:<server_two>:21443,https:<server_three>:21443

    The default HTTP port is 21000 and the default HTTPS port is 21443. These values can be overridden using the atlas.server.http.port and atlas.server.https.port properties, respectively.

  5. After manually editing these settings, select Actions > Stop All on the Ambari dashboard to stop all services, then select Actions > Start All to restart all services.
Note
Note

If you disable Atlas SSL, you must clear your browser cookies in order to log in to the Atlas UI using HTTP request headers.