Configure Knox SSO for EFM
Learn how to configure Knox SSO for the EFM Server.
- You have installed Knox on your CDP cluster.
- You have installed and secured the EFM Server.
-
Obtain the Knox public certificate in PEM format.
openssl s_client -servername NAME -connect HOST:PORT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > knox_server_cert_in_pem_file_format.pem
- Save the certificate on the EFM Server and ensure the file is readable by the user running the EFM process.
-
Update the EFM configuration file with the following properties:
# User Authentication Properties # authentication via TLS mutual auth with client certificates efm.security.user.certificate.enabled=true # authentication via Knox SSO token passed in a cookie header efm.security.user.knox.enabled=true efm.security.user.knox.url=https://knox.mycompany.com:8443/gateway/knoxsso/api/v1/websso efm.security.user.knox.publicKey=/path/to/knox-server-keystores/knox_server_cert_in_pem_file_format.pem efm.security.user.knox.cookieName=hadoop-jwt #efm.security.user.knox.audiences= # authentication via generic reverse proxy with user passed in a header efm.security.user.proxy.enabled=false efm.security.user.proxy.headerName=x-webauth-user #efm.security.user.proxy.ipWhitelist= #efm.security.user.proxy.dnWhitelist[0]=
-
In Cloudera Manager, update the Knox topology for the Knox SSO service to add
the EFM hostname (or EFM load balancer hostname when clustered) to the
authorized redirect URLs. For example:
<service> <role>KNOXSSO</role> ... <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(efm\.hostname\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> </param> </service>
- Restart EFM and Knox.