1、创建证书目录
root@hadoop01[/etc/ambari-server]#mkdir /etc/ambari-server/certs
root@hadoop01[/etc/ambari-server]#cd /etc/ambari-server/certs/
root@hadoop01[/etc/ambari-server/certs]#export AMBARI_SERVER_HOSTNAME=hadoop01
2、生成证书
root@hadoop01[/etc/ambari-server/certs]#openssl genrsa -passout pass:hadoop -out $AMBARI_SERVER_HOSTNAME.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
........................+++
e is 65537 (0x10001)
root@hadoop01[/etc/ambari-server/certs]# openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:hadoop01
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ambari
An optional company name []:ambari
root@hadoop01[/etc/ambari-server/certs]#openssl x509 -req -days 3650 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=hadoop01
Getting Private key
root@hadoop01[/etc/ambari-server/certs]#ll
总用量 12
-rw-r--r-- 1 root root 1151 1月 19 10:49 hadoop01.crt
-rw-r--r-- 1 root root 1041 1月 19 10:49 hadoop01.csr
-rw-r--r-- 1 root root 1679 1月 19 10:47 hadoop01.key
3、安装
root@hadoop01[/etc/ambari-server/certs]#ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)?
SSL port [8443] ?
Enter path to Certificate: /etc/ambari-server/certs/hadoop01.crt
Enter path to Private Key: /etc/ambari-server/certs/hadoop01.key
Please enter password for Private Key:
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start")
root@hadoop01[/etc/ambari-server/certs]#
4、重启ambari-server
root@hadoop01[/etc/ambari-server/certs]#ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start.......................
Server started listening on 8443
DB configs consistency check found warnings. See /var/log/ambari-server/ambari-server-check-database.log for more details.
可以看到监听端口已经变成8443了。
root@hadoop01[/etc/ambari-server/certs]#cat /etc/ambari-server/conf/ambari.properties
5、导入truststore
root@hadoop01[/etc/ambari-server/certs]#keytool -import -file /etc/ambari-server/certs/hadoop01.crt -alias ambari-server -keystore ambari-server-truststore
输入密钥库口令:
再次输入新口令:
所有者: CN=hadoop01, O=Default Company Ltd, L=Default City, C=XX
发布者: CN=hadoop01, O=Default Company Ltd, L=Default City, C=XX
序列号: adb4d9e923ccd8e2
有效期为 Sun Jan 19 10:49:43 CST 2020 至 Wed Jan 16 10:49:43 CST 2030
证书指纹:
MD5: 16:0C:6A:CC:89:9F:5B:FF:10:BB:B3:4C:08:88:E4:8F
SHA1: 82:CA:03:9E:C5:EB:B9:10:CF:D6:8A:B6:D1:DD:94:87:D4:10:20:ED
SHA256: 6F:40:1E:E9:F5:46:83:BF:DB:CD:85:60:23:14:28:71:74:D7:36:19:BC:F6:58:E7:11:3F:56:EF:17:3C:E7:20
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 1
是否信任此证书? [否]: y
证书已添加到密钥库中
root@hadoop01[/etc/ambari-server/certs]#
会在/etc/ambari-server/certs目录生成一个ambari-server-truststore文件。
root@hadoop01[/etc/ambari-server/certs]#ll
总用量 16
-rw-r--r-- 1 root root 880 1月 19 10:56 ambari-server-truststore
-rw-r--r-- 1 ambari root 1151 1月 19 10:49 hadoop01.crt
-rw-r--r-- 1 ambari root 1041 1月 19 10:49 hadoop01.csr
-rw-r--r-- 1 ambari root 1679 1月 19 10:47 hadoop01.key
root@hadoop01[/etc/ambari-server/certs]#ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/etc/ambari-server/certs/ambari-server-truststore
Password for TrustStore:
Re-enter password:
Ambari Server 'setup-security' completed successfully.
6、重启ambari-server
root@hadoop01[/etc/ambari-server/certs]#ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start.......................
Server started listening on 8443
DB configs consistency check found warnings. See /var/log/ambari-server/ambari-server-check-database.log for more details.
root@hadoop01[/etc/ambari-server/certs]#
7、查看ambari-server状态
root@hadoop01[/etc/ambari-server/certs]#ambari-server status
Using python /usr/bin/python
Ambari-server status
Ambari Server running
Found Ambari Server PID: 21699 at: /var/run/ambari-server/ambari-server.pid
root@hadoop01[/etc/ambari-server/certs]#
8、前台页面验证
https://10.45.53.233:8443/
用户名密码跟原来一样,默认admin/admin