Set up self-signed certificates
You can enable SSL for the DAS Engine using a self-signed certificate. Self-signed certificates are primarily used in test environments. For a production environment, you should use a certificate from a trusted CA.
- Log in as root user on the cluster with DAS Engine installed.
Generate a key pair and keystore for use with DAS Engine.
keytool -genkey -alias jetty -keystore <certificate_file_path> -storepass <keystore_password> -dname 'CN=das.host.com, OU=Eng, O=ABC Corp, L=Santa Clara, ST=CA, C=US' -keypass <key_password>NoteIgnore the following warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore <keystore_file_path> -destkeystore <keystore_file_path> -deststoretype pkcs12".Follow the prompts and enter the required information.
- CN must be the FQDN of the DAS Engine host.
- Default value for the key password is password.
If you change the password, then you have to update the DAS configuration.
keytool -genkey -alias jetty -keystore ~/tmp/ks -storepass password What is your first and last name? [Unknown]: das.host.com What is the name of your organizational unit? [Unknown]: Eng What is the name of your organization? [Unknown]: ABC Corp What is the name of your City or Locality? [Unknown]: Santa Clara What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=das.host.com, OU=Eng, O=ABC Corp, L=Santa Clara, ST=CA, C=US correct? [no]: yes Enter key password for <jetty> (RETURN if same as keystore password):NoteYou will have to use this keystore file while configuring the DAS Engine for TLS in Ambari.
Export the certificate.
keytool -exportcert -alias jetty -keystore /my/file.keystore -file <certificate file path> -storepass <keystore_password> -rfc