You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Sumit Gupta (JIRA)" <ji...@apache.org> on 2014/11/04 22:37:34 UTC

[jira] [Updated] (AMBARI-8145) Knox install should generate a good self signed certificate

     [ https://issues.apache.org/jira/browse/AMBARI-8145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sumit Gupta updated AMBARI-8145:
--------------------------------
    Attachment: AMBARI-8145.patch

End to end tested the patch on a Centos 6.4 machine. Before the patch, after installing and starting Knox via the HDP 2.2 repo, an auto generated cert for localhost was loaded up by Knox. After the patch, Knox loads up the cert with the hostname that it is installed on. This can be seen in the log file gateway.log with the following entries (for example):

2014-11-04 21:13:24,578 INFO  hadoop.gateway (JettySSLService.java:init(77)) - Credential store for the gateway instance found - no need to create one.
2014-11-04 21:13:24,580 INFO  hadoop.gateway (JettySSLService.java:init(91)) - Keystore for the gateway instance found - no need to create one.
2014-11-04 21:13:24,585 INFO  hadoop.gateway (JettySSLService.java:logAndValidateCertificate(108)) - The Gateway SSL certificate is issued to hostname: c6401.ambari.apache.org.

Also on subsequent stops and starts, the cert is not regenerated as the code checks for the presence of the file gateway.jks.

> Knox install should generate a good self signed certificate
> -----------------------------------------------------------
>
>                 Key: AMBARI-8145
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8145
>             Project: Ambari
>          Issue Type: Bug
>          Components: stacks
>    Affects Versions: 1.7.0
>            Reporter: Sumit Gupta
>            Priority: Critical
>             Fix For: 1.7.0
>
>         Attachments: AMBARI-8145.patch
>
>
> When Knox is installed and started, if the process doesn't find a certificate in the keystore it generates one for localhost. This needs to be generated explicitly using the fully qualified host name where Knox is installed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)