Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Set the Master Secret

How to set the Master Secret for the first time, when configuring the Knox Gateway.

The master secret is required to start the gateway. The secret protects artifacts used by the gateway instance, such as the keystore, trust stores and credential stores.

You configure the gateway to persist the master secret, which is saved in the $gateway /data/security/master file. Ensure that this directory has the appropriate permissions set for your environment.

Note
Note

Ensure that the security directory, $gateway/data/security, and its contents are readable and writable only by the knox user. This is the most important layer of defense for master secret. Do not assume that the encryption is sufficient protection.

You may persist the master secret by supplying the -persist-master switch at startup. This will result in a warning indicating that persisting the secret is less secure than providing it at startup. We do make some provisions in order to protect the persisted password.

It is encrypted with AES 128 bit encryption and where possible the file permissions are set to only be accessible by the user that the gateway is running as.

After persisting the secret, ensure that the file at config/security/master has the appropriate permissions set for your environment. This is probably the most important layer of defense for master secret. Do not assume that the encryption if sufficient protection.

A specific user should be created to run the gateway this user will be the only user with permissions for the persisted master file.

  1. Enter:
    cd {GATEWAY_HOME}
    bin/knoxcli.sh create-master
  2. The CLI prompts you for the master secret; enter it.