Enable https for ambari Server

In this article I have tried to explain the process to setup https for ambari where I will use a self-signed certificate for initial trials setup ambari console access over HTTPS. Remember that the self signed certificates are not suitable for production environments. 

Note : Make sure that “openssl” is installed on your server.

Step 1: Create keys self signed certificates :

[root@m1 ~]# export wserver=m1.hdp22
[root@m1 ~]# echo $wserver
m1.hdp22
[root@m1 ~]# hostname
m1.hdp22
[root@m1 ~]# openssl genrsa -out $wserver.key 2048
Generating RSA private key, 2048 bit long modulus
……+++
……+++
e is 65537 (0x10001)
Step 2 : Use the “req” command which primarily creates and processes certificate requests in PKCS#10 format. This option can also be used to create self signed certificates for use as root CAs for example

[root@m1 ~]# openssl req -new -key $wserver.key -out $wserver.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@m1 ~]#

Step 3:  Generating private key “$wserver.crt” using the option “-out” as following:

[root@m1 ~]# openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out $wserver.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key

Now in your home “/root” directory users should see the following files:

[root@m1 ~]# ls -ltrh
total 179M
-rw-r–r– 1 root root 2.4M May 14 2013 je-5.0.73.jar
-rw-r–r– 1 root root 1.7K Mar 1 04:34 m1.hdp22.key
-rw-r–r– 1 root root 952 Mar 1 04:36 m1.hdp22.csr
-rw-r–r– 1 root root 1.1K Mar 1 04:36 m1.hdp22.crt

Step 4 : Configuring Ambari Server to use the certificates, Use the [ambari-server setup-security] option to configure the certificates.
[root@m1 ~]# ambari-server setup-security
Using python /usr/bin/python
Security setup options…
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)? y
SSL port [8443] ? 8080
Enter path to Certificate: /root/m1.hdp22.crt
Enter path to Private Key: /root/m1.hdp22.key
Please enter password for Private Key:
WARNING: There is no Common Name in Certificate
WARNING: Unable to validate Certificate hostname
WARNING: Certificate will be active from: 2017-03-01 09:36:30
WARNING: Unable to validate Certificate issue and expiration dates
Importing and saving Certificate…done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership…

Step 5 : Restart the ambari server and then try accessing the following URL:
[root@m1 ~]# ambari-server restart
Using python /usr/bin/python
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources…
Ambari database consistency check started…
No errors were found.
Ambari database consistency check finished
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start………………..
Ambari Server ‘start’ completed successfully.

 

As we are using untrusted Self signed certificates hence we will see the following message in the web browser. In this case it is normal hence click on the “Proceed to m1.hdp22(unsafe)”.After proceeding further we will see the following console:

Screen Shot 2017-03-01 at 4.49.56 PM

 

If we want the SSL communication between Ambari and 3rd party services like Ambari View (Hive View) then we may need to configure the truststore in Ambari Server. For example if we configure the Ambari to run on HTTPs then if we navigate to the Ambari “Hive View” tab then we may find the following kind of error :

View_Error

ERROR [qtp-ambari-client-4139] ServiceFormattedException:99 – Can’t get secure connection to https://m1.hdp22:8080/api/v1/clusters/hdp22/hosts?fields=Hosts%2Fpublic_host_name%2Chost_components%2FHostRoles%2Fcomponent_name. Truststore path or password is not set.
15 Jun 2016 05:30:14,862 ERROR [qtp-ambari-client-4139] ServiceFormattedException:100 – java.lang.IllegalStateException: Can’t get secure connection to https://m1.hdp22:8080/api/v1/clusters/hdp22/hosts?fields=Hosts%2Fpublic_host_name%2Chost_components%2FHostRoles%2Fcomponent_name. Truststore path or password is not set.
java.lang.IllegalStateException: Can’t get secure connection to https://m1.hdp22:8080/api/v1/clusters/hdp22/hosts?fields=Hosts%2Fpublic_host_name%2Chost_components%2FHostRoles%2Fcomponent_name. Truststore path or password is not set.
at org.apache.ambari.server.controller.internal.URLStreamProvider.getSSLConnection(URLStreamProvider.java:286)
at org.apache.ambari.server.controller.internal.URLStreamProvider.processURL(URLStreamProvider.java:172)
at org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:118)
at org.apache.ambari.server.view.ViewAmbariStreamProvider.readFrom(ViewAmbariStreamProvider.java:78)
at org.apache.ambari.view.utils.ambari.URLStreamProviderBasicAuth.readFrom(URLStreamProviderBasicAuth.java:65)
at org.apache.ambari.view.utils.ambari.AmbariApi.requestClusterAPI(AmbariApi.java:173)
at org.apache.ambari.view.utils.ambari.AmbariApi.requestClusterAPI(AmbariApi.java:142)
at org.apache.ambari.view.utils.ambari.AmbariApi.getHostsWithComponent(AmbariApi.java:99)
at org.apache.ambari.view.hive.client.ConnectionFactory.getHiveHost(ConnectionFactory.java:79)
at org.apache.ambari.view.hive.client.ConnectionFactory.create(ConnectionFactory.java:68)
at org.apache.ambari.view.hive.client.UserLocalConnection.initialValue(UserLocalConnection.java:42)
at org.apache.ambari.view.hive.client.UserLocalConnection.initialValue(UserLocalConnection.java:26)
at org.apache.ambari.view.utils.UserLocal.get(UserLocal.java:66)
at org.apache.ambari.view.hive.resources.browser.HiveBrowserService.databases(HiveBrowserService.java:87)

What is truststore ? In a SSL handshake the purpose of trustStore is to verify credentials and the purpose of keyStore is to provide credential. keyStore in Java stores private key and certificates corresponding to their public keys and require if you are SSL Server or SSL requires client authentication. Users can use the “$JAVA_HOME/bin/keytool” to create the keystores/truststores.

In order to resolve this issue lets configure the “truststore” on Ambari Server. Following are the steps to create & configure the truststore for Ambari Server:

Step 1:  Use the “$JAVA_HOME/bin/keytool” to generate the truststore based on the previously created “m1.hdp22.crt” certificate.

[root@m1 ~]# keytool -import -file /root/m1.hdp22.crt -alias ambari-server -keystore ambari-server-truststore
Enter keystore password:
Re-enter new password:
Owner: O=Default Company Ltd, L=Default City, C=XX
Issuer: O=Default Company Ltd, L=Default City, C=XX
Serial number: cf7ce5f91a662930
Valid from: Wed Mar 01 04:36:30 EST 2017 until: Thu Mar 01 04:36:30 EST 2018
Certificate fingerprints:
MD5: 9C:B1:F3:DF:C7:8D:C6:D6:3A:F2:51:10:0A:A4:DC:5C
SHA1: 25:E9:2B:05:66:50:14:B6:F2:20:36:5B:5A:A7:A3:93:2C:3A:E0:15
SHA256: 92:5E:F1:49:93:40:25:89:A2:29:85:44:7B:C2:3D:0D:56:B6:47:FD:0E:66:93:03:6A:33:6F:7D:AA:AF:AC:C9
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
[root@m1 ~]#

Step 2: Configuring Ambari Server to use the “/root/ambari-server-truststore” using the command [ambari-server setup-security] by choosing option (4) as following.

NOTE: Users should stop the ambari-server before making any truststore related configuration changes.

[root@m1 ~]# ambari-server stop
Using python /usr/bin/python
Stopping ambari-server
Ambari Server stopped
[root@m1 ~]# ambari-server setup-security
Using python /usr/bin/python
Security setup options…
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)? y
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/root/ambari-server-truststore
Password for TrustStore:
Re-enter password:
Ambari Server ‘setup-security’ completed successfully.

Step 3: Restart the Ambari Server.
[root@m1 ~]# ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Using python /usr/bin/python
Stopping ambari-server
Ambari Server is not running
Using python /usr/bin/python
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources…
Ambari database consistency check started…
No errors were found.
Ambari database consistency check finished
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start………………..
Ambari Server ‘start’ completed successfully.

Step 4: The hive view should not be throwing the previously mentioned error now “Truststore path or password is not set” The “ambari.properties” should have the following entry in it now:

ssl.trustStore.type=jks
ssl.trustStore.path=/root/ambari-server-truststore

 

I hope this article helped you to setup https connection to ambari, feel free to give your valuable suggestion or feedback.


Leave a Reply