Installing and Setting Up Knox SSO
Also available as:

Setting Up Knox SSO

You can set up Knox to handle authentication when you access the user interfaces and REST APIs. After you set up Knox, basic authentication is still an option for making requests directly to the REST application, but any request to the user interfaces must go through Knox first and contain the proper security token.

  • Ensure that you have enabled LDAP on the Metron Security page in Ambari. Knox and Metron must be configured to use the same LDAP.
  • Ensure that you have installed the Metron client component on all Knox gateway hosts.
  1. Navigate to Ambari > Hosts > $METRON_HOST.
  2. At the bottom of the Components section, in the dropdown menu next to the clients, select Install clients, then click Confirm Add.
  3. Select Metron Client, then click Next.
    This will install the Metron client.
  4. Retrieve the Knox public key by running the following command on the Knox gateway host:
    openssl s_client -connect node1:8443 < /dev/null | openssl x509 | grep -v 'CERTIFICATE' | paste -sd "" -
    They Knox public key will be similar to the following:
  5. Copy the output of the command and paste it into the Ambari setting at Metron > Configs > Security > Knox SSO Public Key.
    Make sure that LDAP is enabled at the top of the Security tab window.
  6. Enable Knox, then click Save.
  7. Click the Restart menu to restart the Metron client, Metron REST, Metron Alerts UI, and Metron Management UI.
    After REST comes back up, Metron should be enabled for Knox.
When you launch a user interface, Knox searches for a valid token. If a valid token is not found, Knox redirects to the Knox SSO login form. Once a valid token is found, Knox redirects to the original url and forwards the request. Accessing the REST application through Knox also follows this pattern.