Configuring SSL for the Ambari Server

This page provides step-by-step instructions for setting up SSL on the Ambari Server, covering both self-signed certificates and using existing Java KeyStore (JKS) files. Additionally, it includes verification steps to ensure your configuration is successful.

Setting Up SSL with a Self-Signed Certificate

Log in to the Ambari Server host.
1. Use SSH or another remote access method to connect to the server where Ambari is installed.
2. Ensure that you have the necessary permissions to execute commands on this server.
Generate the Self-Signed Certificate: Run the following commands in the terminal.

Bash
    
​x
 
# Generate a private keyopenssl genrsa -out ambari_server.key 2048​# Create a certificate signing request (CSR)openssl req -new -key ambari_server.key -out ambari_server.csr​# Generate the self-signed certificateopenssl x509 -req -days 365 -in ambari_server.csr -signkey ambari_server.key -out ambari_server.crt
Copy

Explanation of files:

ambari_server.key: The private key for your server.
ambari_server.csr: The Certificate Signing Request file.
ambari_server.crt: The generated self-signed certificate.

Ensure the Certificate is in the PEM Format: If you encounter a DER-encoded certificate, convert it using the following steps.

Bash
    
 
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
Copy

Replace cert.crt with your DER-encoded certificate file name.

Configure Ambari to Use the Certificate.
1. Run the SSL setup command: ambari-server setup-security
2. During the setup, perform the following steps.
  1. Select 1 to enable HTTPS for the Ambari Server.
  2. Respond with y when asked if you want to configure HTTPS.
  3. Choose your desired port for SSL (default is 8443).
  4. Provide the full paths to your certificate and private key:
    - Path to your certificate: ambari_server.crt
    - Path to your private key: ambari_server.key
  5. Enter the password for the private key when prompted.
Restart the Ambari Server: After completing the setup, restart the Ambari Server with the following command.

Setting Up SSL Using your Own Java KeyStore (JKS) File

If you already have an existing JKS file containing your SSL certificate and private key, follow these steps:

Log in to the Ambari Server host: Before this step, log in to the server where Ambari is installed.
Import your JKS File: You can directly configure Ambari to use your existing JKS file without generating a self-signed certificate.
Extract the Certificates from JKS (if needed): If you need to extract the certificate and private key from your JKS file, follow the below steps.
1. Export the Certificate: Use the following command to export the certificate from your JKS file.

Bash
    
 
keytool -exportcert -alias your_cert_alias -keystore /path/to/your_keystore.jks -file extracted_certificate.crt
Copy

Replace your_cert_alias with the alias of your certificate in the JKS file.
Replace /path/to/your_keystore.jks with the actual path to your JKS file.
Specify an output file for the extracted certificate as extracted_certificate.crt.

b. Extract the Private Key: To extract the private key from your JKS file, you first need to convert the JKS to PKCS12 format, then extract the private key.

Convert the JKS to PKCS12 format:

Bash
    
keytool -importkeystore -srckeystore /path/to/your_keystore.jks -destkeystore /path/to/output_keystore.p12 -deststoretype PKCS12
Copy

Then, use OpenSSL to extract the private key:

Bash
    
 
openssl pkcs12 -in /path/to/output_keystore.p12 -nocerts -nodes -out extracted_private.key
Copy

Replace /path/to/output_keystore.p12 with the path where you want to save the PKCS12 file and specify an output file for the private key as extracted_private.key.

Run the SSL Setup Command: Execute the following SSL setup command.

Bash
    
 
ambari-server setup-security
Copy

During the setup, perform the following steps:

Select 1 to enable HTTPS for the Ambari Server.
Respond with y when asked if you want to configure HTTPS.
Choose your desired port for SSL (default is 8443).
Provide the full paths to your certificate and private key:
- Path to your certificate: ambari_server.crt
- Path to your private key: ambari_server.key
Enter the password for the private key when prompted.

Restart the Ambari Server: After completing the configuration, restart the Ambari Server with the following command.

Bash
    
 
ambari-server restart
Copy

Truststore Setup for the Ambari Server

Before making these changes, ensure that the Ambari Server is not running. You can either perform this setup before starting Ambari for the first time or stop the server if it is currently running.

On the Ambari Server, create a new keystore that holds the HTTPS certificate for the Ambari Server using the following command.

Bash
    
keytool -import -file <path_to_your_ssl_certificate_file> -alias ambari-server-cert -keystore ambari-server-truststore.jks
Copy

When prompted with "Trust this certificate?", type "yes" to proceed. Next, configure the Ambari Server to utilize this new truststore by executing the following command.

Bash
    
 
ambari-server setup-security
Copy

You can see the following output indicating the security setup options.

Bash
    
 
Using python  /usr/bin/python2.6Security setup options...===========================================================================Choose one of the following options:   [1] Enable HTTPS for Ambari server.  [2] Encrypt passwords stored in ambari.properties file.  [3] Setup Ambari kerberos JAAS configuration.  [4] Setup truststore.  [5] Import certificate to truststore.===========================================================================Enter choice, (1-5): *4*
Copy

When prompted to configure a truststore, enter y for the question "Do you want to configure a truststore?"

For the truststore type, you can choose between jks, jceks, or pkcs12. The default is jks.

Bash
    
 
TrustStore type [jks/jceks/pkcs12] (jks): *jks*
Copy

Next, provide the path to your truststore file.

Bash
    
 
Path to TrustStore file : *<path to the ambari-server-truststore>*
Copy

You also need to set a password for the truststore and confirm it.

Bash
    
 
Password for TrustStore:Re-enter password:
Copy

After completing these steps, you must see a message indicating that the Ambari Server's security setup has been successfully completed:

Bash
    
 
Ambari Server 'setup-security' completed successfully.
Copy

To apply these changes, restart the Ambari Server with the following command.

Bash
    
 
ambari-server restart
Copy

Setting Up Two-Way SSL Between Ambari Server and Ambari Agents

The Two-way SSL enables encrypted communication between the Ambari Server and its Agents. By default, Two-way SSL is disabled in Ambari. To activate it, follow the below steps.

Ensure that the Ambari Server is not running during this process. You can either apply these changes before starting the Ambari Server for the first time or stop the server if it is currently running.

On the Ambari Server host, open the file /etc/ambari-server/conf/ambari.properties using a text editor.

Add the following line to the configuration file.

Bash
    
 
security.server.twoway ssl = true
Copy

Start or restart the Ambari Server by executing the following command.

Bash
    
 
ambari-server restart
Copy

The Agent certificates will be automatically downloaded during the registration of the Agents.

Set Up Two-Way SSL for Ambari Server Using Custom CA-Signed Certificates

Prerequisites

Ensure that you have the correct passwords for the keystore and related files.
You need the Private Key of the Certificate Authority (CA) to sign the agent certificates.
The password for the keystore_password.txt file will be in clear-text format; currently, there is no method to encrypt it.

Configuring Two-Way SSL Use CA-Signed Certificates

Back up Existing Certificates: Back up and remove all certificates and request files starting with the hostname in the directory /var/lib/ambari-server/keys.

Bash
    
 
tar -cvzf ambari_keys_backup.tar.gz /var/lib/ambari-server/keys/*
Copy

Clear the Existing Index Files: Empty the existing index file located at /var/lib/ambari-server/keys/db/index.txt.

Bash
    
 
mv /var/lib/ambari-server/keys/db/index.txt /tmp
Copy

Remove the Existing Certificates: Delete any existing certificates located in /var/lib/ambari-server/keys/db/newcerts/.

Bash
    
 
mv /var/lib/ambari-server/keys/db/newcerts/* /tmp
Copy

Copy the CA-Signed Certificate Artifacts: Place your CA-signed certificate and key files (e.g., my_ca_certificate.crt, my_server_key.key) in to the directory /var/lib/ambari-server/keys/.
Create a PKCS12 Keystore: Generate a PKCS12 keystore file from your certificate and key files.

Bash
    
openssl pkcs12 -export -in my_ca_certificate.crt -inkey /var/lib/ambari-server/keys/my_server_key.key -certfile my_ca_certificate.crt -out ambari_keystore.p12 -password pass:securepassword123 -passin pass:securepassword123
Copy

Create a Password File for the Keystore: Create a text file containing the keystore password in the /var/lib/ambari-server/keys directory.

Bash
    
 
echo securepassword123 > keystore_password.txt
Copy

Configure Ambari to Use New Certificates and Keystore: Open the file /etc/ambari-server/conf/ambari.properties with a text editor and add the following properties.

Bash
    
 
security.server.cert_name=my_ca_certificate.crtsecurity.server.key_name=my_server_key.keysecurity.server.keystore_name=ambari_keystore.p12security.server.truststore_name=ambari_keystore.p12security.server.crt_pass_file=keystore_password.txtsecurity.server.two_way_ssl=true
Copy

Cleanup the Existing Ambari Agent Keys: To ensure a clean configuration, remove all files from the /var/lib/ambari-agent/keys/ directory on each node where the Ambari agent is installed.

Bash
    
 
rm -rf /var/lib/ambari-agent/keys/*
Copy

Restart the Ambari Server: After configuring the properties, restart the Ambari Server for the changes to take effect.

Bash
    
 
ambari-server restart
Copy

Verify the Two-Way SSL Configuration: To confirm that Two-Way SSL is operational, check the Ambari server logs for any errors and ensure that the Ambari Agents can securely communicate with the Ambari Server.

Recreating the Ambari SSL Certificate Authority

The step to recreate the Ambari SSL certificate authority is optional.

The Ambari Certificate Authority (CA) plays a crucial role in issuing digital certificates that facilitate secure communication between the Ambari Server and its Agents. Each Ambari CA certificate remains valid for 365 days. In situations where the CA certificate becomes corrupted or has expired, it is necessary to recreate the CA, which generates a new CA certificate as well as new SSL certificates for each Ambari agent. This procedure assumes that the certificates signed by the Ambari CA can be replaced, which is generally applicable for certificates used in two-way SSL connections with Ambari agents.

Steps:

Stop the Ambari Server: To initiate the process, stop the Ambari server by executing the following command.

Bash
    
 
ambari-server stop
Copy

Back up the Existing Keys: Create a backup of the existing keys and their associated directories.

Bash
    
 
cp -r /var/lib/ambari-server/keys /path/to/backup/directory
Copy

Remove Old CA Files: Delete the following files from the /var/lib/ambari-server/keys directory.

Bash
    
 
rm -f /var/lib/ambari-server/keys/ca.keyrm -f /var/lib/ambari-server/keys/ca.csrrm -f /var/lib/ambari-server/keys/ca.crtrm -f /var/lib/ambari-server/keys/pass.txtrm -f /var/lib/ambari-server/keys/keystore.p12rm -f /var/lib/ambari-server/keys/*.csrrm -f /var/lib/ambari-server/keys/*.crt
Copy

Delete Database Files: Remove the following files from the /var/lib/ambari-server/keys/db directory.

Bash
    
 
rm -f /var/lib/ambari-server/keys/db/index.txt.oldrm -f /var/lib/ambari-server/keys/db/index.txt.attr.oldrm -f /var/lib/ambari-server/keys/db/serial.old
Copy

Truncate Index Files: Clear the contents of the following index files.

Bash
    
 
> /var/lib/ambari-server/keys/db/index.txt> /var/lib/ambari-server/keys/db/index.txt.attr
Copy

Modify Serial File: Edit the serial file located in /var/lib/ambari-server/keys/db and set its content as below.

In serial, set the contents to be exactly:

Bash
    
 
00
Copy

Delete New Certificate Files: Remove all files from the following directory rm -f /var/lib/ambari-server/keys/db/newcerts/*.
Restart the Ambari Server using the following command.

Bash
    
 
ambari-server restart
Copy

On each Ambari agent host:
1. Stop the Ambari Agent: Stop the Ambari agent using the command: ambari-agent stop.
2. Back up Agent Keys: Create a backup of the agent's keys and associated directories: cp -r /var/lib/ambari-agent/keys /path/to/backup/directory.
3. Remove the Agent Certificate Files: Delete the following files from the /var/lib/ambari-agent/keys directory.

Bash
    
 
rm -f /var/lib/ambari-agent/keys/ca.crtrm -f /var/lib/ambari-agent/keys/*.crtrm -f /var/lib/ambari-agent/keys/*.csrrm -f /var/lib/ambari-agent/keys/*.key
Copy

d. Restart the Ambari Agent: Finally, restart the Ambari agent by executing the following command.

Bash
    
 
ambari-agent restart
Copy

Last updated on Oct 1, 2024

Was this page helpful?