You can enable SSL for the DAS Engine using a self-signed certificate. Self-signed
certificates are primarily used in test environments. For a production environment, you
should use a certificate from a trusted CA.
You must have root user access to the clusters on which DAS
Engine is installed.
-
Log in as root user on the cluster with DAS Engine installed.
-
Generate a key pair and keystore for use with DAS Engine.
keytool -genkey -alias jetty -keystore <certificate_file_path>
-storepass <keystore_password> -dname 'CN=das.host.com, OU=Eng, O=ABC Corp,
L=Santa Clara, ST=CA, C=US' -keypass <key_password>
| Note |
---|
Ignore the following warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore <keystore_file_path> -destkeystore <keystore_file_path> -deststoretype pkcs12".
|
Follow the prompts and enter the required information.
Following is a sample command
output:
keytool -genkey -alias jetty -keystore ~/tmp/ks -storepass password
What is your first and last name?
[Unknown]: das.host.com
What is the name of your organizational unit?
[Unknown]: Eng
What is the name of your organization?
[Unknown]: ABC Corp
What is the name of your City or Locality?
[Unknown]: Santa Clara
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=das.host.com, OU=Eng, O=ABC Corp, L=Santa Clara, ST=CA, C=US correct?
[no]: yes
Enter key password for <jetty>
(RETURN if same as keystore password):
| Note |
---|
You will have to use this keystore file while configuring the DAS Engine
for TLS in Ambari. |
-
Export the certificate.
keytool -exportcert -alias jetty -keystore /my/file.keystore -file <certificate file path> -storepass <keystore_password> -rfc