Configure TLS/SSL for Apache Ranger
How to configure TLS/SSL for Apache Ranger
- In Cloudera Manager, select Ranger, then click the Configuration tab.
- Under Category, select Security.
-
Set the following properties.
Table 1. Apache Ranger TLS/SSL Settings Configuration Property Description Enable TLS/SSL for Ranger Admin
ranger.service.https.attrib.ssl.enabled
Select this check box to encrypt communication between clients and Ranger Admin using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Ranger Admin TLS/SSL Server JKS Keystore File Location
ranger.https.attrib.keystore.file
The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Admin is acting as a TLS/SSL server. The keystore must be in JKS format. Ranger Admin TLS/SSL Server JKS Keystore File Password
ranger.service.https.attrib.keystore.pass
The password for the Ranger Admin JKS keystore file. Ranger Admin TLS/SSL Client Trust Store File
ranger.truststore.file
The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Ranger Admin might connect to. This is used when Ranger Admin is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of well known certificate authorities is used. Ranger Admin TLS/SSL Client Trust Store Password
ranger.truststore.password
The password for the Ranger Admin TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information. Enable TLS/SSL for Ranger Tagsync
Select this check box to encrypt communication between clients and Ranger Tagsync using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Ranger Tagsync TLS/SSL Server JKS Keystore File Location
xasecure.policymgr.clientssl.keystore
The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Tagsync is acting as a TLS/SSL server. The keystore must be in JKS format. Ranger Tagsync TLS/SSL Server JKS Keystore File Password
xasecure.policymgr.clientssl.keystore.password
The password for the Ranger Tagsync JKS keystore file. Ranger Tagsync TLS/SSL Client Trust Store Password
xasecure.policymgr.clientssl.truststore.password
The password for the Ranger Tagsync TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information. Ranger Usersync TLS/SSL Client Trust Store File
ranger.usersync.truststore.file
The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Ranger Usersync might connect to. This is used when Ranger Usersync is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of well known certificate authorities is used. Ranger Usersync TLS/SSL Client Trust Store Password
ranger.usersync.truststore.password
The password for the Ranger Usersync TLS/SSL certificate trust store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information. - Click Save Changes.
-
In order for services to communicate successfully with Ranger, you must set the
following properties in each service that has Ranger authorization enabled to
ensure that the Ranger Admin certificate is imported into the trust store.
- TLS/SSL Client Trust Store File
- TLS/SSL Client Trust Store Password
For example, for HDFS select HDFS > Configuration in Cloudera Manager, then search for "HDFS NameNode TLS/SSL Client Trust Store", or use the Security Category to find and set the following properties:
- HDFS NameNode TLS/SSL Client Trust Store File
- HDFS NameNode TLS/SSL Client Trust Store Password
- Click Save Changes.