You can set up Knox to handle authentication when you access the user interfaces and
REST APIs. After you set up Knox, basic authentication is still an option for making requests
directly to the REST application, but any request to the user interfaces must go through Knox
first and contain the proper security token.
- Ensure that you have enabled LDAP on the Metron Security page
in Ambari. Knox and Metron must be configured to use the same LDAP.
- Ensure that you have installed the Metron client component on all Knox gateway
hosts.
-
Navigate to Ambari > Hosts > $METRON_HOST.
-
At the bottom of the Components section, in the dropdown
menu next to the clients, select Install clients, then click
Confirm Add.
-
Select Metron Client, then click
Next.
This will install the Metron client.
-
Retrieve the Knox public key by running the following command on the Knox gateway
host:
openssl s_client -connect node1:8443 < /dev/null | openssl x509 | grep -v 'CERTIFICATE' | paste -sd "" -
They Knox public key will be similar to the following:
MIICMjCCAZugAwIBAgIJAPvF9X/Tm9+4MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ
8wDQYDVQQKEwZIYWRvb3AxDTALBgNVBAsTBFRlc3QxDjAMBgNVBAMTBW5vZGUxMB4XDTE5MDEwMzIyMDExN1oXDTIwMDEwMzIyMDExN1owWzELMAkGA1UEBh
MCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDEOMAwGA1UEAxMFbm9kZTEwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAJVkl8kYk2tPNJ9hlO+mSbgTAlkma7LGY4X/LtHqNd7PP161p9Hhty2HRpfZ5rUE2rIdlHpESSoo3Ifg38JrN745/yrw
EGI0A5KhqOnNKw6Hk8mhoyoc8DDBVd3+nsGIJ5263rapOtyPWgxuj2gcd14utMvZOTGkHGkpr/FFRjUDAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAMyL+JHBfBIg2i
AxmkOkH30iEVen1SgNqMoD4zApnA5z+ZVmL6cA72eV0BXjjY0YsxnVcAR4zqWYUDjZCNsAI4TtkXzlSZAhaVKzM+Ru+e+L5Lo22d5U5T5SqZMrubPx1dyyKe
FMJPbG4ZGs5XbK+GAS3LDqBYEm5ZiEZ0E3RUT0=
-
Copy the output of the command and paste it into the Ambari setting at
Metron > Configs > Security > Knox SSO Public Key.
-
Enable Knox, then click Save.
-
Click the Restart menu to restart the Metron client, Metron
REST, Metron Alerts UI, and Metron Management UI.
After REST comes back up, Metron should be enabled for Knox.
When you launch a user interface, Knox searches for a valid
token. If a valid token is not found, Knox redirects to the Knox SSO login form. Once a
valid token is found, Knox redirects to the original url and forwards the request.
Accessing the REST application through Knox also follows this pattern.