Re: setup-security in silent mode

Tue, 05 Apr 2016 08:43:08 -0700 

Hi,
your are right. I created an Ansible script around this topic, maybe it saves you some time. 

Here the steps in my ansible script:

  - name: Enable SSL

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='api.ssl' line='api.ssl=true' owner=root group=root mode=0644


  - name: Set two-way SSL

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='security.server.two_way_ssl' 
line='security.server.two_way_ssl=true' owner=root group=root mode=0644


  - name: Configure certificate path

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='client.api.ssl.cert_name' 
line='client.api.ssl.cert_name=https.crt' owner=root group=root mode=0644


  - name: Configure key path

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='client.api.ssl.key_name' 
line='client.api.ssl.key_name=https.key' owner=root group=root mode=0644


  - name: Keys direcotroy path

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='security.server.keys_dir' 
line='security.server.keys_dir=/var/lib/ambari-server/keys' owner=root 
group=root mode=0644


  - name: Truststore path

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='ssl.trustStore.path' 
line='ssl.trustStore.path=/var/lib/ambari-server/keys/keystore.p12' 
owner=root group=root mode=0644


  - name: Truststore type

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='ssl.trustStore.type' line='ssl.trustStore.type=pkcs12' 
owner=root group=root mode=0644


  - name: Truststore password

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='ssl.trustStore.password' line='ssl.trustStore.password=horton' 
owner=root group=root mode=0644


  - name: Client API SSL port

    lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='client.api.ssl.port' line='client.api.ssl.port=8443' owner=root 
group=root mode=0644


  - name: IPTABLES / 8443 / https web UI
    command: iptables -I INPUT -p tcp --dport 8443 -s 0.0.0.0/0 -j ACCEPT

  - name: Copy Certificate to /root/

    copy: src=company-bank-01.cloud.hortonworks.com.crt 
dest=/var/lib/ambari-server/keys/https.crt owner=root group=root mode=0600


  - name: Copy Private Key to /etc/ambari-server/conf/

    copy: src=company-bank-01.cloud.hortonworks.com.key 
dest=/var/lib/ambari-server/keys/https.key owner=root group=root mode=0600


  - name: Create key password file

    copy: src=company-key.pass.txt 
dest=/var/lib/ambari-server/keys/https.pass.txt group=root mode=0600


  - name: Create key password file

    copy: src=company-key.pass.txt 
dest=/var/lib/ambari-server/keys/pass.txt group=root mode=0600


  - name: Create truststore
    command: rm -f /var/lib/ambari-server/keys/https.keystore.p12

  - command: rm -f /var/lib/ambari-server/keys/keystore.p12


  - command: openssl pkcs12 -export -in 
'/var/lib/ambari-server/keys/https.crt' -inkey 
'/var/lib/ambari-server/keys/https.key' -certfile 
'/var/lib/ambari-server/keys/https.crt' -out 
'/var/lib/ambari-server/keys/https.keystore.p12' -password 
file:'/var/lib/ambari-server/keys/https.pass.txt' -passin 
file:'/var/lib/ambari-server/keys/pass.txt'



  - command: /usr/jdk64/jdk1.8.0_40/bin/keytool -import -alias 
'company-bank-01' -keystore '/var/lib/ambari-server/keys/keystore.p12' 
-storetype pkcs12 -file '/var/lib/ambari-server/keys/https.crt' 
-storepass 'horton' -noprompt


  - command: chmod 600 /var/lib/ambari-server/keys/https.keystore.p12
  - command: chmod 600 /var/lib/ambari-server/keys/keystore.p12

Regards,
Henning

Am 04/04/16 um 18:48 schrieb Lukáš Drbal:

Hi Dmitry,

thanks for replay, but its not exactly true.


"ambari-server setup-security" do some "magic" with provided SSL 
certs/keys which is stored in my situation here:
root@<hostname>:/etc/ambari-server/conf# ls -la 
/var/lib/ambari-server/keys/

total 64
drwx------ 3 root root 4096 Apr  4 16:34 .
drwxr-xr-x 5 root root 4096 Mar 30 21:31 ..
-rw------- 1 root root  779 Mar 10 18:24 ca.config
-rw------- 1 root root 7153 Mar 30 21:32 ca.crt
-rw------- 1 root root 1651 Mar 30 21:32 ca.csr
-rw------- 1 root root 3311 Mar 30 21:32 ca.key
drwx------ 3 root root 4096 Mar 30 21:32 db
*-rw------- 1 root root 2698 Apr  4 16:34 https.crt*
*-rw------- 1 root root 1751 Apr  4 16:34 https.key*
*-rw------- 1 root root 4917 Apr  4 16:34 https.keystore.p12*
*-rw------- 1 root root   50 Apr  4 16:34 https.pass.txt*
*-rw------- 1 root root 5693 Mar 30 21:32 keystore.p12*
*-rw------- 1 root root   50 Mar 30 21:31 pass.txt*
*
*

https.crt has same md5sum as original certificate, but that's all what 
i know for now. Its maybe time to look into source code.



L.


On Thu, Mar 31, 2016 at 12:29 PM, Dmitry Sen <d...@hortonworks.com 
<mailto:d...@hortonworks.com>> wrote:


    Hi,


    "ambari-server setup-security" just adds some lines to
    /etc/ambari-server/conf/ambari.properties

    So you can add them in non-interactive mode and restart ambari-server

    ​

    ------------------------------------------------------------------------
    *From:* Lukáš Drbal <lukas.dr...@gmail.com
    <mailto:lukas.dr...@gmail.com>>
    *Sent:* Thursday, March 31, 2016 1:01 AM
    *To:* user@ambari.apache.org <mailto:user@ambari.apache.org>
    *Subject:* setup-security in silent mode
    Hi,

    is there any way how to setup security for ambari (https) in non
    interactive mode?
    I need update my ansible role for ambari server and use https but
    all what i find use comman "ambari-server setup-security" in
    interactive mode. Its possible use some args?

    Thanks.


    -- 
    Save The World - http://www.worldcommunitygrid.org/

    <http://www.worldcommunitygrid.org/>
    http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR

    LesTR




--
Save The World - http://www.worldcommunitygrid.org/
http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR

LesTR
























					Reply via email to