Apache Ambari Operations
Also available as:
PDF
loading table of contents...

Set Up HTTPS for AMS

If you want to limit access to AMS to HTTPS connections, you must provide a certificate. While it is possible to use a self-signed certificate for initial trials, it is not suitable for production environments. After your get your certificate, you must run a special setup command.

Steps

  1. Create your own CA certificate.

    openssl req -new -x509 -keyout ca.key -out ca.crt -days 365
  2. Import CA certificate into the truststore.

    # keytool -keystore /<path>/truststore.jks -alias CARoot -import -file ca.crt -storepass bigdata
  3. Check truststore.

    # keytool -keystore /<path>/truststore.jks -list
    Enter keystore password:
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    caroot, Feb 22, 2016, trustedCertEntry,
    Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF

    You should see trustedCertEntry for CA.

  4. Generate certificate for AMS Collector and store private key in keystore.

    #  keytool -genkey -alias c6401.ambari.apache.org -keyalg RSA -keysize 1024 -dname "CN=c6401.ambari.apache.org,OU=IT,O=Apache,L=US,ST=US,C=US" -keypass bigdata -keystore /<path>/keystore.jks -storepass bigdata
    [Note]Note

    If you use an alias different than the default hostname (c6401.ambari.apache.org), then, in step 12, set the ssl.client.truststore.alias config to use that alias.

  5. Create certificate request for AMS collector certificate.

    keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -certreq -file c6401.ambari.apache.org.csr -storepass bigdata
  6. Sign the certificate request with the CA certificate.

    openssl x509 -req -CA ca.crt -CAkey ca.key -in c6401.ambari.apache.org.csr -out c6401.ambari.apache.org_signed.crt -days 365 -CAcreateserial -passin pass:bigdata
  7. Import CA certificate into the keystore.

    keytool -keystore /<path>/keystore.jks -alias CARoot -import -file ca.crt -storepass bigdata
  8. Import signed certificate into the keystore.

    keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -import -file c6401.ambari.apache.org_signed.crt -storepass bigdata
  9. Check keystore.

    caroot2, Feb 22, 2016, trustedCertEntry,
    Certificate fingerprint (SHA1): 7C:B7:0C:27:8E:0D:31:E7:BE:F8:BE:A1:A4:1E:81:22:FC:E5:37:D7
    [root@c6401 tmp]# keytool -keystore /tmp/keystore.jks -list
    Enter keystore password:
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    caroot, Feb 22, 2016, trustedCertEntry,
    Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF
    c6401.ambari.apache.org, Feb 22, 2016, PrivateKeyEntry,
    Certificate fingerprint (SHA1): A2:F9:BE:56:7A:7A:8B:4C:5E:A6:63:60:B7:70:50:43:34:14:EE:AF

    You should see PrivateKeyEntry for the ams collector hostname entry and trustedCertEntry for CA.

  10. Copy /<path>/truststore.jks to all nodes to /<path>/truststore.jks and set appropriate access permissions.

  11. Copy /<path>/keystore.jks to AMS collector node ONLY to /<path>/keystore.jks and set appropriate access permissions. Recommended: set owner to ams user and access permnissions to 400.

  12. In Ambari Web, update the following AMS configs, in Advanced:

    • ams-site/timeline.metrics.service.http.policy=HTTPS_ONLY

    • ams-ssl-server/ssl.server.keystore.keypassword=bigdata

    • ams-ssl-server/ssl.server.keystore.location=/<path>/keystore.jks

    • ams-ssl-server/ssl.server.keystore.password=bigdata

    • ams-ssl-server/ssl.server.keystore.type=jks

    • ams-ssl-server/ssl.server.truststore.location=/<path>/truststore.jks

    • ams-ssl-server/ssl.server.truststore.password=bigdata

    • ams-ssl-server/ssl.server.truststore.reload.interval=10000

    • ams-ssl-server/ssl.server.truststore.type=jks

    • ams-ssl-client/ssl.client.truststore.location=/<path>/truststore.jks

    • ams-ssl-client/ssl.client.truststore.password=bigdata

    • ams-ssl-client/ssl.client.truststore.type=jks

  13. In Ambari Web, Add the following AMS config property, using Custom ams-ssl-client → Add Property:

    [metrics_collector_hostname_fqdn].ssl.client.truststore.alias=<Alias used to create certificate for AMS on the host with the specified FQDN. (Default is hostname fqdn)>

  14. Restart services with stale configs.

  15. Configure Ambari server to use truststore.

    # ambari-server setup-security
    Using python  /usr/bin/python
    Security setup options...
    ===========================================================================
    Choose one of the following options:
      [1] Enable HTTPS for Ambari server.
      [2] Encrypt passwords stored in ambari.properties file.
      [3] Setup Ambari kerberos JAAS configuration.
      [4] Setup truststore.
      [5] Import certificate to truststore.
    ===========================================================================
    Enter choice, (1-5): 4
    Do you want to configure a truststore [y/n] (y)?
    TrustStore type [jks/jceks/pkcs12] (jks):jks
    Path to TrustStore file :/<path>/keystore.jks
    Password for TrustStore:
    Re-enter password:
    Ambari Server 'setup-security' completed successfully.
  16. Configure ambari server to use https instead of http in requests to AMS Collector by adding "server.timeline.metrics.https.enabled=true" to ambari.properties file.

    # echo "server.timeline.metrics.https.enabled=true" >> /etc/ambari-server/conf/ambari.properties
  17. Restart ambari server.