Cloudera Docs

Generate and configure a signing keystore for Knox in HA

When Knox is installed on more than one instance (i.e., when Knox is running in HA), then signing keystore configurations must be set in Cloudera Manager.

  1. Generate your own certificate and keystore file (see Manually Configuring TLS Encryption for Cloudera Manager). Then copy to /var/lib/knox/gateway/data/security/keystores/.
  2. Set the following values:
    • gateway_signing_keystore_name: the filename of keystore file that contains the signing keypair.
    • gateway_signing_keystore_type: the type of the keystore file where the signing keypair is stored. In non-FIPS environments, this should be PKCS12.
    • gateway_signing_key_alias: the alias for the signing keypair within the keystore.
  3. Optional: If you do not want the master secret to be used, you can set an alias for the password to the keystore file that holds the signing keypair.
    1. Go to Saving Aliases and follow the instructions.
    2. From Cloudera Manager > Knox > Configuration > Knox Service (or Gateway) Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml_service_safety_valve:, configure gateway.signing.keystore.password.alias to the alias previously defined.