Configuration of Knox SSO
Learn about the properties that you need to set for configuring Knox SSO.
Edge Flow Manager (EFM) supports Knox SSO for end user authentication with the following limitations:
- Knox cannot be used as a gateway that forwards requests to EFM.
- Knox must be accessible using the same hostname as EFM (a different port is
fine). Otherwise, the authentication token issued by Knox, which is stored
in a browser cookie, cannot be passed to EFM and EFM authentication fails
Credentials not presenterror. This means the following:
- For EFM clusters, Knox must be accessible through the same load balancer or reverse proxy used to access EFM nodes.
- For individual, non-clustered EFM instances, Knox must run on the same host as EFM on a different port.
- You have installed Knox.
- You have installed and secured the EFM server to use TLS. For more information on enabling TLS in EFM, see TLS configuration for EFM.
Obtain the Knox SSO token signing certificate in PEM format.
This is sometimes the same as the public certificate used for TLS by Knox, and can therefore be obtained using OpenSSL against the Knox host:
openssl s_client -servername HOSTNAME -connect HOST:PORT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > knox_server_cert_in_pem_file_format.pem
Sometimes, however, a different signing keypair is configured specifically for Knox SSO signing and must be obtained from that server configuration. Once you have the Knox SSO token signing certificate, save the certificate on the EFM server and ensure that the file is readable by the user running the EFM process.
Update the EFM configuration file with the following properties:
efm.security.user.knox.enabled=true efm.security.user.knox.url=https://knox.mycompany.com:8443/gateway/knoxsso/api/v1/websso efm.security.user.knox.publicKey=path/to/knox_server_cert_in_pem_file_format.pem efm.security.user.knox.cookieName=hadoop-jwt efm.security.user.knox.audiences=
In Cloudera Manager, that manages Knox, update the Knox topology for the Knox
SSO service to add the EFM hostname (or EFM load balancer hostname when
clustered) to the authorized redirect URLs.
<service> <role>KNOXSSO</role> ... <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(efm\.hostname\.com|localhost|127\.0\.0\.1|::1):[0-9].*$</value> </param> </service>
- Restart EFM and Knox.