You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by Mohammad Islam <mi...@yahoo.com> on 2016/10/26 19:12:43 UTC
Running gateway service without SSL for testing
Hi,Currently Knox gateway service is defaulted to "https" protocol. Is there a way to turn it off and make it "http" for dev purpose?
I'm getting the error "certificate signed by unknown authority" for some of the https accesses.
Alternatively, is there a quick way of getting self-signed certificate for dev and testing purpose?
Regards,Mohammad
Re: Running gateway service without SSL for testing
Posted by Mohammad Islam <mi...@yahoo.com>.
Thanks Larry for your help. It unblocked me.We are evaluating Knox for our production. I will ping the group for any such quick help.
Regards,Mohammad
On Wednesday, October 26, 2016 5:43 PM, larry mccay <lm...@apache.org> wrote:
Hi Mohammad -
This is not at all recommended for production deployments.You can turn it off with a param in gateway-site.xml called ssl.enabled - set it to false and you don't need it for dev.
Alternatively, you can generally provide some client side setting to not validate the server cert for dev environments.This allows you to continue to have wire encryption though you don't have the assurance that you are talking to the actual server that you expect. In dev, this is less of a concern.
You can also use keytool or porticle or some other tooling to export the public cert for the gateway from {GATEWAY_HOME}/data/security/keystores/gateway.jks. The alias is gateway-identity and the keystore password is your knox master secret that you provided at startup, to the knoxcli create-master command or through Ambari.
You can then add that public cert to your client specific truststore, etc.
HTH,
--larry
On Wed, Oct 26, 2016 at 3:12 PM, Mohammad Islam <mi...@yahoo.com> wrote:
Hi,Currently Knox gateway service is defaulted to "https" protocol. Is there a way to turn it off and make it "http" for dev purpose?
I'm getting the error "certificate signed by unknown authority" for some of the https accesses.
Alternatively, is there a quick way of getting self-signed certificate for dev and testing purpose?
Regards,Mohammad
Re: Running gateway service without SSL for testing
Posted by larry mccay <lm...@apache.org>.
Hi Mohammad -
This is not at all recommended for production deployments.
You can turn it off with a param in gateway-site.xml called ssl.enabled -
set it to false and you don't need it for dev.
Alternatively, you can generally provide some client side setting to not
validate the server cert for dev environments.
This allows you to continue to have wire encryption though you don't have
the assurance that you are talking to the actual server that you expect. In
dev, this is less of a concern.
You can also use keytool or porticle or some other tooling to export the
public cert for the gateway from
{GATEWAY_HOME}/data/security/keystores/gateway.jks. The alias is
gateway-identity and the keystore password is your knox master secret that
you provided at startup, to the knoxcli create-master command or through
Ambari.
You can then add that public cert to your client specific truststore, etc.
HTH,
--larry
On Wed, Oct 26, 2016 at 3:12 PM, Mohammad Islam <mi...@yahoo.com> wrote:
> Hi,
> Currently Knox gateway service is defaulted to "https" protocol. Is there
> a way to turn it off and make it "http" for dev purpose?
>
> I'm getting the error "certificate signed by unknown authority" for some
> of the https accesses.
>
> Alternatively, is there a quick way of getting self-signed certificate for
> dev and testing purpose?
>
> Regards,
> Mohammad
>
>
>
>
>
>