[ 
https://issues.apache.org/jira/browse/AMBARI-20948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Eric Yang updated AMBARI-20948:
-------------------------------
    Description: When system administrator use FreeIPA to manage SSL 
certificates, FreeIPA also generates SPNEGO HTTP principals for each of the 
described subject alternate names.  This can automatically help to renew SSL 
certificate and SPNEGO HTTP principals on expiration date.  Ambari will try to 
forcefully remove any HTTP principals generated for Ambari agent nodes.  This 
breaks FreeIPA managed SSL certificate and Kerberos HTTP principals.  It would 
be nice to preserve and use FreeIPA generated SSL certificate and SPNEGO 
principals with automated-renewal process.  (was: When system administrator use 
FreeIPA to manage SSL certificates, FreeIPA also generates SPNEGO HTTP 
principals for each of the described subject alternate names.  This can 
automatically help to renew SSL certificate and SPNEGO HTTP principals on 
expiration date.  Ambari will try to forcefully remove any HTTP principals 
generated for Ambari agent nodes.  This breaks FreeIPA managed SSL certificate 
and Kerberos HTTP principals.  It would be nice to preserve and use FreeIPA 
generated SSL certificate and SPNEGO principals with automated-renewal process)

> FreeIPA managed HTTP principals are removed by Ambari forcefully
> ----------------------------------------------------------------
>
>                 Key: AMBARI-20948
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20948
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Eric Yang
>
> When system administrator use FreeIPA to manage SSL certificates, FreeIPA 
> also generates SPNEGO HTTP principals for each of the described subject 
> alternate names.  This can automatically help to renew SSL certificate and 
> SPNEGO HTTP principals on expiration date.  Ambari will try to forcefully 
> remove any HTTP principals generated for Ambari agent nodes.  This breaks 
> FreeIPA managed SSL certificate and Kerberos HTTP principals.  It would be 
> nice to preserve and use FreeIPA generated SSL certificate and SPNEGO 
> principals with automated-renewal process.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to