Setup custom key/certificate/keystore (optional, not needed if it has done already, ambari-server generates these during first start):
cd /var/lib/ambari-server/keys/ echo "mypass" > mypass.txt openssl genrsa -out my.key 2048 openssl req -new -key my.key -out my.csr -subj '/C=US/ST=Oregon/L=Portland/CN=myname/emailAddress=mymail@apache.org' openssl x509 -req -days 365 -in my.csr -signkey my.key -out my.crt openssl pkcs12 -export -in '/var/lib/ambari-server/keys/my.crt' -inkey '/var/lib/ambari-server/keys/my.key' -certfile '/var/lib/ambari-server/keys/my.crt' -out '/var/lib/ambari-server/keys/my.keystore.p12' -password file:'/var/lib/ambari-server/keys/mypass.txt'
Run 'ambari-server setup-security' with option [1] (setup-https):
Do you want to configure HTTPS [y/n] (y)? y SSL port [8443] ? Enter path to Certificate: /var/lib/ambari-server/keys/my.crt Enter path to Private Key: /var/lib/ambari-server/keys/my.key Please enter password for Private Key: ****
Based on the inputs, It will generate https.key, https.crt and https.keystore.p12 under the '/var/lib/ambari-server/keys' directory. These will be used for HTTPS.
Setup LDAPS
Currently Ambari can use only 1 custom truststore at a time, therefore it is needed to merge the certificates into 1 truststore.
Get the LDAPS certificate, if you do not have the certificate locally e.g. for self signed, you can download it:
openssl s_client -connect myurl.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ldapserver.pem
Create a JKS keystore from the https.keystore.p12 keystore: (in the end, HTTPS/LDAPS will use https.keystore.jks)
keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -deststorepass changeit
Convert LDAPS certificate to DER format and Import LDAPS certificate to the truststore:
openssl x509 -outform der -in ldapserver.pem -out ldapserver.der keytool -import -alias ldap -keystore https.keystore.jks -file ldapserver.der
Run 'ambari-server setup-ldap' command, e.g.:
Setting up LDAP properties... Primary URL* {host:port} : c6401.ambari.apache.org:636 Secondary URL : Use SSL* [true/false] (true): User object class* (person): User name attribute* (uid): Group object class* (posixGroup): Group name attribute* (cn): Group member attribute* (memberUid): Base DN* : dc=apache,dc=org Bind anonymously* [true/false] (false): Manager DN* : uid=hdfs,ou=people,ou=dev,dc=apache,dc=org Enter Manager Password* : hdfs Re-enter password: hdfs Do you want to provide custom TrustStore for Ambari [y/n] (n)? y TrustStore type [jks/jceks/pkcs12] (jks): Path to TrustStore file :/var/lib/ambari-server/keys/https.keystore.jks Password for TrustStore: Re-enter password: Save settings [y/n] (y)? y
Add these properties to ambari.properties file:
client.api.ssl.keystore_name=https.keystore.jks client.api.ssl.keystore_type=jks client.api.ssl.truststore_name=https.keystore.jks client.api.ssl.truststore_type=jks
(Optional) instead of the steps above, JDK default keystore can be used here as a truststore: (same for https certificate)
openssl x509 -in ldapserver.pem -out ldapserver.crt /usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file ldapserver.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
Finally, run:
ambari-server restart