Ambari启用https访问(ssl) 导入信任库truststore

1、创建证书目录

root@hadoop01[/etc/ambari-server]#mkdir /etc/ambari-server/certs

root@hadoop01[/etc/ambari-server]#cd /etc/ambari-server/certs/

root@hadoop01[/etc/ambari-server/certs]#export AMBARI_SERVER_HOSTNAME=hadoop01

2、生成证书

root@hadoop01[/etc/ambari-server/certs]#openssl genrsa -passout pass:hadoop -out $AMBARI_SERVER_HOSTNAME.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
........................+++
e is 65537 (0x10001)
root@hadoop01[/etc/ambari-server/certs]# openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:hadoop01
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ambari
An optional company name []:ambari
root@hadoop01[/etc/ambari-server/certs]#openssl x509 -req -days 3650 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=hadoop01
Getting Private key
root@hadoop01[/etc/ambari-server/certs]#ll
总用量 12
-rw-r--r-- 1 root root 1151 1月  19 10:49 hadoop01.crt
-rw-r--r-- 1 root root 1041 1月  19 10:49 hadoop01.csr
-rw-r--r-- 1 root root 1679 1月  19 10:47 hadoop01.key

3、安装

root@hadoop01[/etc/ambari-server/certs]#ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options: 
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)? 
SSL port [8443] ? 
Enter path to Certificate: /etc/ambari-server/certs/hadoop01.crt
Enter path to Private Key: /etc/ambari-server/certs/hadoop01.key
Please enter password for Private Key: 
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start")
root@hadoop01[/etc/ambari-server/certs]#

4、重启ambari-server

root@hadoop01[/etc/ambari-server/certs]#ambari-server restart
Using python  /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start.......................
Server started listening on 8443

DB configs consistency check found warnings. See /var/log/ambari-server/ambari-server-check-database.log for more details.

可以看到监听端口已经变成8443了。

root@hadoop01[/etc/ambari-server/certs]#cat /etc/ambari-server/conf/ambari.properties 

5、导入truststore

root@hadoop01[/etc/ambari-server/certs]#keytool -import -file /etc/ambari-server/certs/hadoop01.crt -alias ambari-server -keystore ambari-server-truststore
输入密钥库口令:  
再次输入新口令: 
所有者: CN=hadoop01, O=Default Company Ltd, L=Default City, C=XX
发布者: CN=hadoop01, O=Default Company Ltd, L=Default City, C=XX
序列号: adb4d9e923ccd8e2
有效期为 Sun Jan 19 10:49:43 CST 2020 至 Wed Jan 16 10:49:43 CST 2030
证书指纹:
         MD5:  16:0C:6A:CC:89:9F:5B:FF:10:BB:B3:4C:08:88:E4:8F
         SHA1: 82:CA:03:9E:C5:EB:B9:10:CF:D6:8A:B6:D1:DD:94:87:D4:10:20:ED
         SHA256: 6F:40:1E:E9:F5:46:83:BF:DB:CD:85:60:23:14:28:71:74:D7:36:19:BC:F6:58:E7:11:3F:56:EF:17:3C:E7:20
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 1
是否信任此证书? [否]:  y                           
证书已添加到密钥库中
root@hadoop01[/etc/ambari-server/certs]#

会在/etc/ambari-server/certs目录生成一个ambari-server-truststore文件。

root@hadoop01[/etc/ambari-server/certs]#ll
总用量 16
-rw-r--r-- 1 root   root  880 1月  19 10:56 ambari-server-truststore
-rw-r--r-- 1 ambari root 1151 1月  19 10:49 hadoop01.crt
-rw-r--r-- 1 ambari root 1041 1月  19 10:49 hadoop01.csr
-rw-r--r-- 1 ambari root 1679 1月  19 10:47 hadoop01.key

root@hadoop01[/etc/ambari-server/certs]#ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options: 
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)? 
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/etc/ambari-server/certs/ambari-server-truststore
Password for TrustStore:
Re-enter password: 
Ambari Server 'setup-security' completed successfully.

6、重启ambari-server
root@hadoop01[/etc/ambari-server/certs]#ambari-server restart
Using python  /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start.......................
Server started listening on 8443

DB configs consistency check found warnings. See /var/log/ambari-server/ambari-server-check-database.log for more details.
root@hadoop01[/etc/ambari-server/certs]#

7、查看ambari-server状态

root@hadoop01[/etc/ambari-server/certs]#ambari-server status
Using python  /usr/bin/python
Ambari-server status
Ambari Server running
Found Ambari Server PID: 21699 at: /var/run/ambari-server/ambari-server.pid
root@hadoop01[/etc/ambari-server/certs]#

8、前台页面验证

https://10.45.53.233:8443/

用户名密码跟原来一样,默认admin/admin

Ambari启用https访问(ssl) 导入信任库truststore_第1张图片

你可能感兴趣的:(Ambari启用https访问(ssl) 导入信任库truststore)