Configure TLS/SSL encryption manually for Apache Ranger
How to manually configure TLS/SSL encryption for Apache Ranger
- In Cloudera Manager, select Ranger, then click the Configuration tab.
- Under Category, select Security.
- 
                Set the following properties:
                Table 1. Apache Ranger TLS/SSL Settings Configuration Property Description Enable TLS/SSL for Ranger Admin ranger.service.https.attrib.ssl.enabled Select this option to encrypt communication between clients and Ranger Admin using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Ranger Admin TLS/SSL Server JKS Keystore File Location ranger.https.attrib.keystore.file The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Admin is acting as a TLS/SSL server. The keystore must be in JKS or BCFKS format. Ranger Admin TLS/SSL Server JKS Keystore File Password ranger.service.https.attrib.keystore.pass The password for the Ranger Admin JKS keystore file. Ranger Admin TLS/SSL Client Trust Store File ranger.truststore.file The location on disk of the truststore used to confirm the authenticity of TLS/SSL servers that Ranger Admin might connect to. This is used when Ranger Admin is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of known certificate authorities is used. Ranger Admin TLS/SSL Client Trust Store Password ranger.truststore.password The password for the Ranger Admin TLS/SSL Certificate truststore file. This password is not required to access the truststore; therefore, this field is optional. The contents of truststores are certificates, and certificates are public information. This password provides optional integrity checking of the file. Enable TLS/SSL for Ranger Tagsync Select this option to encrypt communication between clients and Ranger Tagsync using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Ranger Tagsync TLS/SSL Server JKS Keystore File Location xasecure.policymgr.clientssl.keystore The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Tagsync is acting as a TLS/SSL server. The keystore must be in JKS or BCFKS format. Ranger Tagsync TLS/SSL Server JKS Keystore File Password xasecure.policymgr.clientssl.keystore.password The password for the Ranger Tagsync JKS keystore file. Ranger Tagsync TLS/SSL Trust Store File xasecure.policymgr.clientssl.truststore The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Ranger Tagsync might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. Ranger Tagsync connects to Ranger Admin. If Ranger Admin is SSL enabled, make sure you add a Ranger Admin certificate in the trust store. If this parameter is not provided, the default list of well-known certificate authorities is used instead. Ranger Tagsync TLS/SSL Client Trust Store Password xasecure.policymgr.clientssl.truststore.password The password for the Ranger Tagsync TLS/SSL Certificate truststore file. This password is not mandatory to access the truststore. It is used to check the integrity of the file; this field is optional. The contents of truststores are certificates, and certificates are public information. Ranger Usersync TLS/SSL Client Trust Store File ranger.usersync.truststore.file The location on disk of the truststore, in JKS format, used to confirm the authenticity of TLS/SSL servers that Ranger Usersync might connect to. This is used when Ranger Usersync is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the connected service(s). Ranger Usersync connects to Ranger Admin to sync users into Ranger. If Ranger Admin is SSL enabled, make sure you add a Ranger Admin certificate in the trust store. If this parameter is not provided, the default list of known certificate authorities is used. Ranger Usersync TLS/SSL Client Trust Store Password ranger.usersync.truststore.password The password for the Ranger Usersync TLS/SSL certificate truststore file. This password is not required to access the truststore; this field is optional. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information. 
- 
                In Filters > Search > , type
                        ranger.service.https.attrib.keystore.keyalias to set
                    the  Ranger Admin TLS/SSL Keystore File Alias property.
                Table 2. Ranger Admin TLS/SSL Setting Configuration Property Description Ranger Admin TLS/SSL Keystore File Alias ranger.service.https.attrib.keystore.keyalias The alias used for the Ranger Admin TLS/SSL keystore file. If host FQDN is used as an alias while creating a keystore file, the default placeholder value {{RANGER_ADMIN_HOST}} is replaced with the host FQDN where Ranger Admin will be installed in the current cluster. The placeholder can be replaced to have a custom alias used while creating the keystore file. If using a custom alias which is the same as the host short name, use {{RANGER_ADMIN_HOST_UQDN}} placeholder as a value. 
- Click Save Changes.
