Configuring Knox SSO

Learn about the properties that you need to set for configuring Knox SSO.

Edge Flow Manager (EFM) supports Knox SSO for end user authentication with the following limitations:
  • Knox cannot be used as a gateway that forwards requests to EFM.
  • Knox must be accessible using the same hostname as EFM (a different port is fine). Otherwise, the authentication token issued by Knox, which is stored in a browser cookie, cannot be passed to EFM and EFM authentication fails with a Credentials not present error. This means the following:
    • For EFM clusters, Knox must be accessible through the same load balancer or reverse proxy used to access EFM nodes.
    • For individual, non-clustered EFM instances, Knox must run on the same host as EFM on a different port.
  • You have installed Knox.
  • You have installed and secured the EFM server to use TLS. For more information on enabling TLS in EFM, see TLS configuration for EFM.
  1. Obtain the Knox SSO token signing certificate in PEM format.
    This is sometimes the same as the public certificate used for TLS by Knox, and can therefore be obtained using OpenSSL against the Knox host:
    openssl s_client -servername HOSTNAME -connect HOST:PORT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > knox_server_cert_in_pem_file_format.pem

    Sometimes, however, a different signing keypair is configured specifically for Knox SSO signing and must be obtained from that server configuration. Once you have the Knox SSO token signing certificate, save the certificate on the EFM server and ensure that the file is readable by the user running the EFM process.

  2. Update the EFM configuration file with the following properties:
    efm.security.user.knox.enabled=true
    efm.security.user.knox.url=https://knox.mycompany.com:8443/gateway/knoxsso/api/v1/websso
    efm.security.user.knox.publicKey=path/to/knox_server_cert_in_pem_file_format.pem
    efm.security.user.knox.cookieName=hadoop-jwt
    efm.security.user.knox.audiences=
  3. In Cloudera Manager, that manages Knox, update the Knox topology for the Knox SSO service to add the EFM hostname (or EFM load balancer hostname when clustered) to the authorized redirect URLs.
    For example:
    <service>
      <role>KNOXSSO</role>
      ...
      <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/(efm\.hostname\.com|localhost|127\.0\.0\.1|::1):[0-9].*$</value>
      </param>
    </service>
  4. Restart EFM and Knox.