Configure TLS/SSL for Apache Ranger

How to configure TLS/SSL for Apache Ranger

  1. In Cloudera Manager, select Ranger, then click the Configuration tab.
  2. Under Category, select Security.
  3. Set the following properties.
    Table 1. Apache Ranger TLS/SSL Settings
    Configuration Property Description

    Enable TLS/SSL for Ranger Admin

    ranger.service.https.attrib.ssl.enabled

    Select this check box to encrypt communication between clients and Ranger Admin using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).

    Ranger Admin TLS/SSL Server JKS Keystore File Location

    ranger.https.attrib.keystore.file

    The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Admin is acting as a TLS/SSL server. The keystore must be in JKS format.

    Ranger Admin TLS/SSL Server JKS Keystore File Password

    ranger.service.https.attrib.keystore.pass

    The password for the Ranger Admin JKS keystore file.

    Ranger Admin TLS/SSL Client Trust Store File

    ranger.truststore.file

    The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Ranger Admin might connect to. This is used when Ranger Admin is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of well known certificate authorities is used.

    Ranger Admin TLS/SSL Client Trust Store Password

    ranger.truststore.password

    The password for the Ranger Admin TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.

    Enable TLS/SSL for Ranger Tagsync

    Select this check box to encrypt communication between clients and Ranger Tagsync using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).

    Ranger Tagsync TLS/SSL Server JKS Keystore File Location

    xasecure.policymgr.clientssl.keystore

    The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Tagsync is acting as a TLS/SSL server. The keystore must be in JKS format.

    Ranger Tagsync TLS/SSL Server JKS Keystore File Password

    xasecure.policymgr.clientssl.keystore.password

    The password for the Ranger Tagsync JKS keystore file.

    Ranger Tagsync TLS/SSL Client Trust Store Password

    xasecure.policymgr.clientssl.truststore.password

    The password for the Ranger Tagsync TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.

    Ranger Usersync TLS/SSL Client Trust Store File

    ranger.usersync.truststore.file

    The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Ranger Usersync might connect to. This is used when Ranger Usersync is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of well known certificate authorities is used.

    Ranger Usersync TLS/SSL Client Trust Store Password

    ranger.usersync.truststore.password

    The password for the Ranger Usersync TLS/SSL certificate trust store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
  4. Click Save Changes.
  5. In order for services to communicate successfully with Ranger, you must set the following properties in each service that has Ranger authorization enabled to ensure that the Ranger Admin certificate is imported into the trust store.
    • TLS/SSL Client Trust Store File
    • TLS/SSL Client Trust Store Password

    For example, for HDFS select HDFS > Configuration in Cloudera Manager, then search for "HDFS NameNode TLS/SSL Client Trust Store", or use the Security Category to find and set the following properties:

    • HDFS NameNode TLS/SSL Client Trust Store File
    • HDFS NameNode TLS/SSL Client Trust Store Password
  6. Click Save Changes.