For the simplest of evaluation deployments, the initial startup of the Knox Gateway will generate a self-signed cert for use on the same machine as the gateway instance. These certificates are issued for "localhost" and will require specifically disabling hostname verification on client machines other than where the gateway is running.
In order to continue to use self-signed certificates for larger evaluation deployments, a certificate can be generated for a specific hostname. This will allow clients to properly verify the hostname presented in the certificate as the host that they requested in the request URL.
To create a self-signed certificate:
Create a certificate:
$GATEWAY_HOME/bin/knoxcli.sh create-cert --hostname $gateway-hostname
where
$gateway-hostname
is the FQDN of the Knox Gateway.Export the certificate in PEM format:
keytool -export -alias gateway-identity -rfc -file $certificate_path -keystore $gateway_home/data/security/keystores/gateway.jks
Note cURL option accepts certificates in PEM format only.
Restart the gateway:
su -l knox -c "$GATEWAY_HOME/bin/gateway.sh stop" su -l knox -c "$GATEWAY_HOME/bin/gateway.sh start"
After copying the certificate to a client, use the following command to verify:
curl --cacert $certificate_path -u $username:$password https://$gateway-hostname:$gateway_port/gateway/$cluster_name/webhdfs/v1?op=GETHOMEDIRECTORY
For production deployments or any deployment in which a certificate authority issued certificate is needed, the following steps are required.
Import the desired certificate/key pair into a java keystore using keytool and ensure the following:
The certificate alias is gateway-identity.
The store password matches the master secret created earlier.
Note the key password used - as we need to create an alias for this password.
Add a password alias for the key password:
$GATEWAY_HOME/bin/knoxcli.sh create-alias gateway-identity-passphrase --value $actualpassphrase
Note The password alias must be "gateway-identity-passphrase".
In order for clients to trust the certificates presented to them by the gateway, they will need to be present in the client's truststore as follows:
Export the gateway-identity cert from the
using java keytool or another key management tool.$GATEWAY_HOME
/data/security/keystores/gateway.jksAdd the exported certificate to the cacerts or other client specific truststore or The
gateway.jks
file can be copied to the clients to be used as the truststore.Note If taking this approach be sure to change the password of the copy so that it no longer matches the master secret used to protect server side artifacts.