Cloudera Docs

Configure TLS/SSL encryption manually for Apache Ranger

How to manually configure TLS/SSL encryption for Apache Ranger

Use this procedure when you want to manage your TLS/SSL certificates manually.
  1. In Cloudera Manager, select Ranger, then click the Configuration tab.
  2. Under Category, select Security.
  3. Set the following properties:
    Table 1. Apache Ranger TLS/SSL Settings
    Configuration Property Description

    Enable TLS/SSL for Ranger Admin

    ranger.service.https.attrib.ssl.enabled

    		 Select this option to encrypt communication between clients and Ranger Admin using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).

    Ranger Admin TLS/SSL Server JKS Keystore File Location

    ranger.https.attrib.keystore.file

    		 The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Admin is acting as a TLS/SSL server. The keystore must be in JKS or BCFKS format.

    Ranger Admin TLS/SSL Server JKS Keystore File Password

    ranger.service.https.attrib.keystore.pass

    		 The password for the Ranger Admin JKS keystore file.

    Ranger Admin TLS/SSL Client Trust Store File

    ranger.truststore.file

    		 The location on disk of the truststore used to confirm the authenticity of TLS/SSL servers that Ranger Admin might connect to. This is used when Ranger Admin is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of known certificate authorities is used.

    Ranger Admin TLS/SSL Client Trust Store Password

    ranger.truststore.password

    		 The password for the Ranger Admin TLS/SSL Certificate truststore file. This password is not required to access the truststore; therefore, this field is optional. The contents of truststores are certificates, and certificates are public information. This password provides optional integrity checking of the file.

    Enable TLS/SSL for Ranger Tagsync

    		 Select this option to encrypt communication between clients and Ranger Tagsync using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).

    Ranger Tagsync TLS/SSL Server JKS Keystore File Location

    xasecure.policymgr.clientssl.keystore

    		 The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger Tagsync is acting as a TLS/SSL server. The keystore must be in JKS or BCFKS format.

    Ranger Tagsync TLS/SSL Server JKS Keystore File Password

    xasecure.policymgr.clientssl.keystore.password

    		 The password for the Ranger Tagsync JKS keystore file.

    Ranger Tagsync TLS/SSL Trust Store File

    xasecure.policymgr.clientssl.truststore

    The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Ranger Tagsync might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to.

    Ranger Tagsync connects to Ranger Admin. If Ranger Admin is SSL enabled, make sure you add a Ranger Admin certificate in the trust store.

    If this parameter is not provided, the default list of well-known certificate authorities is used instead.

    Ranger Tagsync TLS/SSL Client Trust Store Password

    xasecure.policymgr.clientssl.truststore.password

    		 The password for the Ranger Tagsync TLS/SSL Certificate truststore file. This password is not mandatory to access the truststore. It is used to check the integrity of the file; this field is optional. The contents of truststores are certificates, and certificates are public information.

    Ranger Usersync TLS/SSL Client Trust Store File

    ranger.usersync.truststore.file

    The location on disk of the truststore, in JKS format, used to confirm the authenticity of TLS/SSL servers that Ranger Usersync might connect to. This is used when Ranger Usersync is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the connected service(s).

    Ranger Usersync connects to Ranger Admin to sync users into Ranger. If Ranger Admin is SSL enabled, make sure you add a Ranger Admin certificate in the trust store.

    If this parameter is not provided, the default list of known certificate authorities is used.

    Ranger Usersync TLS/SSL Client Trust Store Password

    ranger.usersync.truststore.password

    		 The password for the Ranger Usersync TLS/SSL certificate truststore file. This password is not required to access the truststore; this field is optional. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
  4. In Filters > Search > , type ranger.service.https.attrib.keystore.keyalias to set the Ranger Admin TLS/SSL Keystore File Alias property.
    Table 2. Ranger Admin TLS/SSL Setting
    Configuration Property Description

    Ranger Admin TLS/SSL Keystore File Alias

    ranger.service.https.attrib.keystore.keyalias

    The alias used for the Ranger Admin TLS/SSL keystore file.

    If host FQDN is used as an alias while creating a keystore file, the default placeholder value {{RANGER_ADMIN_HOST}} is replaced with the host FQDN where Ranger Admin will be installed in the current cluster.

    The placeholder can be replaced to have a custom alias used while creating the keystore file.

    If using a custom alias which is the same as the host short name, use {{RANGER_ADMIN_HOST_UQDN}} placeholder as a value.
  5. Click Save Changes.