Generate and configure a signing keystore for Knox in HA
When Knox is installed on more than one instance (i.e., when Knox is running in HA), then signing keystore configurations must be set in Cloudera Manager.
- Generate your own certificate and keystore file, and then copy to /var/lib/knox/gateway/data/security/keystores/.
-
Set the following values:
- gateway_signing_keystore_name: the filename of keystore file that contains the signing keypair.
- gateway_signing_keystore_type: the type of the keystore file where the signing keypair is stored. In non-FIPS environments, this should be PKCS12.
- gateway_signing_key_alias: the alias for the signing keypair within the keystore.
- Optional:
If you do not want the master secret to be used, you can set an alias for the
password to the keystore file that holds the signing keypair.
- Go to Saving Aliases and follow the instructions.
-
From Cloudera Manager > Knox > Configuration > Knox Service (or Gateway) Advanced Configuration Snippet
(Safety Valve) for
conf/gateway-site.xml_service_safety_valve:, configure
gateway.signing.keystore.password.alias
to the alias previously defined.