Configuring Oozie to use SSL (HTTPS)
The default HTTPS configuration will cause all Oozie URLs to use HTTPS (except for the JobTracker callback URLs, but this is okay because Oozie doesn't inherently trust the callbacks anyway; they are used as hints). This is to simplify configuration (no changes are needed outside of Oozie).
To use a Self-Signed Certificate There are many ways to create a Self-Signed Certificate, this is just one way. We will be using the keytool program, which is included with your JRE. If its not on your path, you should be able to find it in $JAVA_HOME/bin.
- Run the following command to create a keystore
file:
sudo -u oozie keytool -genkey -alias tomcat -keyalg RSA
The keystore file will be named .keystore and located in the oozie user's home directory.
- You will now be asked a series of questions in
an interactive prompt. Below is a sample of what this looks like, along
with some responses:
$ sudo -u oozie keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: password Re-enter new password: password What is your first and last name? [Unknown]: oozie.server.hostname What is the name of your organizational unit? [Unknown]: Engineering What is the name of your organization? [Unknown]: A Great Company What is the name of your City or Locality? [Unknown]: Anywhere What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=oozie.server.hostname, OU=Engineering, O=A Great Company, L=Anywhere, ST=CA, C=US correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password):
Important: The password you enter for "keystore password" and "key password for <tomcat>" must be the same. If you want to use a password other than "password", you will need to make an additional change later when configuring the Oozie Server.
Important: The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the Oozie Server will be running.
- Run the following command to export a
certificate file from the keystore file:
sudo -u oozie keytool -exportcert -alias tomcat -file path/to/where/I/want/my/certificate.cert
To use a Certificate from a Certificate Authority
- Make a request to a Certificate Authority in order to obtain a proper Certificate; please consult a Certificate Authority on this procedure.
- Once you have your .cert file, run the following
command to create a keystore file from your certificate:
sudo -u oozie keytool -import -alias tomcat -file path/to/certificate.cert
The keystore file will be named .keystore and located in the oozie user's home directory.
Configure the Oozie Server to use SSL (HTTPS)
- Stop Oozie by running
sudo /sbin/service oozie stop
- To enable SSL, set the MapReduce version that the Oozie server should
work with using the alternatives command. Note
: The alternatives command is only available on RHEL systems. For SLES, Ubuntu and Debian systems, the command is update-alternatives.For RHEL systems, to use YARN with SSL:alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https
For RHEL systems, to use MapReduce (MRv1) with SSL:alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https.mr1
Important: The OOZIE_HTTPS_KEYSTORE_PASS variable must be the same as the password used when creating the keystore file. If you used a password other than password, you'll have to change the value of the OOZIE_HTTPS_KEYSTORE_PASS variable in this file.
- Start Oozie by running
sudo /sbin/service oozie start
Configure the Oozie Client to connect using SSL (HTTPS)
This section only applies if you are using a Self-Signed Certificate.
The following steps must be done on every machine where you intend to use the Oozie Client. This is not necessary if you only want to use the Web UI from a browser.
The first two steps are only necessary if you used a Self-Signed Certificate.
- Copy or download the .cert file onto the client machine
- Run the following command to import the
certificate into the JRE's keystore. This will allow any Java program,
including the Oozie client, to connect to the Oozie Server using your
certificate.
sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}
Where ${JRE_cacerts} is the path to the JRE's certs file. It's location may differ depending on the Operating System, but its typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME} (you may want to create a backup copy of this file first). The default password is changeit.
- When using the Oozie Client, you will need to use https://oozie.server.hostname:11443/oozie instead of http://oozie.server.hostname:11000/oozie – Java will not automatically redirect from the http address to the https address.
Connect to the Oozie Web UI using SSL (HTTPS)
Use https://oozie.server.hostname:11443/oozie though most browsers should automatically redirect you if you use http://oozie.server.hostname:11000/oozie
If using a Self-Signed Certificate, your browser will warn you that it can't verify the certificate or something similar. You will probably have to add your certificate as an exception.
<< Configuring Oozie HA with Kerberos | HttpFS Security Configuration >> | |