Configure TLS/SSL encryption manually for Ranger KMS
How to manually configure TLS/SSL encryption for Ranger KMS
- In Cloudera Manager, select Ranger KMS, then click the Configuration tab.
- Under Category, select Security.
-
Set the following properties:
Table 1. Ranger KMS TLS/SSL Settings Configuration Property Description Enable TLS/SSL for Ranger KMS Server
ranger.service.https.attrib.ssl.enabled
Encrypt communication between clients and Ranger KMS Server using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).
Ranger KMS Server TLS/SSL Server JKS Keystore File Location
ranger.service.https.attrib.keystore.file
The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Ranger KMS Server is acting as a TLS/SSL server. The keystore must be in JKS format.
Ranger KMS Server TLS/SSL Server JKS Keystore File Password
ranger.service.https.attrib.keystore.pass
The password for the Ranger KMS Server JKS keystore file.
Ranger KMS Server TLS/SSL Trust Store File
xasecure.policymgr.clientssl.truststore
The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Ranger KMS Server might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to.
The Ranger KMS plugin inside the Ranger KMS Server connects to Ranger Admin to download the authorization policies. If Ranger Admin is SSL enabled, make sure you add a Ranger Admin certificate in the trust store.
If this parameter is not provided, the default list of well-known certificate authorities is used instead.
Ranger KMS Server TLS/SSL Trust Store Password
xasecure.policymgr.clientssl.truststore.password
The password for the Ranger KMS Server TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
-
In Filters > Search > , type
ranger.service.https.attrib.keystore.keyalias to set
the Ranger KMS Server TLS/SSL Keystore File Alias property.
Table 2. Ranger KMS Server TLS/SSL Keystore Alias Property Settings Configuration Property Description Ranger KMS Server TLS/SSL Keystore File Alias
ranger.service.https.attrib.keystore.keyalias
The alias for the Ranger KMS Server TLS/SSL keystore file.
If host FQDN is used as an alias while creating a keystore file, the {{HOST}} default placeholder value will be replaced with the host FQDN where Ranger KMS Server will be installed in the current cluster.
The placeholder can be replaced to have a custom alias used while creating the keystore file.
If using a custom alias which is the same as host short name then use {{HOST_UQDN}} placeholder as a value.
- Click Save Changes.