DLM Installation and Upgrade
Also available as:
PDF

Configure the keystore for use by DLM Engine and Knox Proxy

While communicating with Knox Proxy, DLM Engine establishes two way SSL connection while acquiring the SSO token and hence the certificate (either self-signed for test setup or received from Certificate Authority) of DLM Engine needs to be imported in the Knox Proxy truststore and the certificate (either self-signed for test setup or received from Certificate Authority) of Knox Proxy need to imported in DLM Engine’s truststore. For using Atlas, the Atlas certificates have to be copied to the Knox truststore.

You must be aware that the Knox instance referred above is the one on the remote cluster DLM Engine needs to communicate with. The location of the trust store can be configured both in DLM Engine and Knox Proxy. Perform the following steps to export the SSL certificate.

  1. To export the SSL certificate of DLM Engine, on DLM Engine host, perform this:
    $JAVA_HOME/bin/keytool -exportcert -alias jetty -keystore <beacon_keystore_file_path> -file <beacon_cert.pem> -rfc
  2. Copy the SSL certificate file <beacon_cert.pem> to the Knox proxy host.
  3. Import the SSL certificate file in the truststore of Knox Proxy host. On knox proxy host, perform this:
    $JAVA_HOME/bin/keytool -import -alias jetty -keystore <path_to_knox_truststore_file> -file <beacon_cert.pem>
  4. To export the SSL certificate of Knox Proxy, on Knox Proxy host, perform this:
    $JAVA_HOME/bin/keytool -exportcert -alias gateway-identity -rfc -file <knox_gw_cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
  5. Copy the SSL certificate file <knox_gw_cert.pem> to the DLM Engine host.
  6. Import the SSL certificate file in the truststore of DLM Engine host. On DLM Engine host, perform this:
    $JAVA_HOME/bin/keytool -import -alias gateway-identity -keystore <path_to_beacon_truststore_file> -file <knox_gw_cert.pem>