Configure Knox SSO for EFM

Learn how to configure Knox SSO for the EFM Server.

You have installed Knox on your CDP cluster.
You have installed and secured the EFM Server.

Obtain the Knox public certificate in PEM format.

openssl s_client 
-servername NAME 
-connect HOST:PORT |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > 
knox_server_cert_in_pem_file_format.pem

Save the certificate on the EFM Server and ensure the file is readable by the user running the EFM process.

Update the EFM configuration file with the following properties:


# User Authentication Properties
# authentication via TLS mutual auth with client certificates
efm.security.user.certificate.enabled=true
# authentication via Knox SSO token passed in a cookie header
efm.security.user.knox.enabled=true
efm.security.user.knox.url=https://knox.mycompany.com:8443/gateway/knoxsso/api/v1/websso
efm.security.user.knox.publicKey=/path/to/knox-server-keystores/knox_server_cert_in_pem_file_format.pem
efm.security.user.knox.cookieName=hadoop-jwt
#efm.security.user.knox.audiences=
# authentication via generic reverse proxy with user passed in a header
efm.security.user.proxy.enabled=false
efm.security.user.proxy.headerName=x-webauth-user
#efm.security.user.proxy.ipWhitelist=
#efm.security.user.proxy.dnWhitelist[0]=

In Cloudera Manager, update the Knox topology for the Knox SSO service to add the EFM hostname (or EFM load balancer hostname when clustered) to the authorized redirect URLs. For example:
```
<service>
  <role>KNOXSSO</role>
  ...
  <param>
    <name>knoxsso.redirect.whitelist.regex</name>
    <value>^https?:\/\/(efm\.hostname\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
  </param>
</service>
```
Restart EFM and Knox.