Comments inline:
On Mar 31, 2015, at 4:47 PM, Don Bosco Durai
<[email protected]<mailto:[email protected]>> wrote:
Rich, seems you are using self-signed certificates at Knox. If that is the
case, you might have to do the following.
* cd /var/lib/knox/data/security/keystores/
* Keytool –exportcert –alias gateway-identity –keystone gateway.jks –file
~/knox.crt
* Return on password prompt
* cd ~
* . /etc/ranger/admin/conf/java_home.sh
* cp $JAVA_HOME/jre/lib/security/cacerts cacerts.withknox
* keytool –import –trustcacerts –file knox.crt –alias knox –keystore
cacerts.withknox
knox@myhost:/home/knox$ keytool -import -trustcacerts -file knox.crt -alias
knox -keystore cacerts.withknox
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was
incorrect
I’m not sure what password I should be using for the cacerts file I copied from
$JAVA_HOME/jre/lib/security…
* cp cacerts.withknox /etc/ranger/admin/conf
* cd /etc/ranger/admin/conf
* vi ranger-admin-env-knox_cert.sh
#!/bin/bash
certs_with_knox=/etc/ranger/admin/conf/cacerts.withknox
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=${certs_with_knox}”
* chmod x+a ranger-admin-env-knox_cert.sh
* service ranger-admin stop
* service ranger-admin start
* ps –ef | grep proc_rangeradmin (verify that javax.net.ssl.trustStore
property was applied)
* Configure Knox repo in Ranger UI using URL -
https://{ranger-ui-server}:8443/gateway/admin/api/v1/topologies/
If this works for you, I can update the document accordingly.
Thanks
Bosco
From: Rich Haase <[email protected]<mailto:[email protected]>>
Reply-To:
"<[email protected]<mailto:[email protected]>>"
<[email protected]<mailto:[email protected]>>
Date: Tuesday, March 31, 2015 at 3:35 PM
To:
"<[email protected]<mailto:[email protected]>>"
<[email protected]<mailto:[email protected]>>
Subject: Re: Error from "Test Connection" setting up ranger-knox-plugin in
policy manager
Sure. I'll open a JIRA and I'll include the detailed logs from xa_portal.log.
I have noticed that the policies I've created for Knox work perfectly. The
ranger admin just can't lookup topology information for autofilling on the
policy creation screens. Not tragic, but definitely functionality that would
be nice.
Sent from my iPhone
On Mar 31, 2015, at 4:25 PM, Balaji Ganesan
<[email protected]<mailto:[email protected]>> wrote:
We should look into that. Can you create a JIRA on this?
Note that repository connection for resource name look up from the policy
manager. You can still save the repository and start creating policies.
On Tue, Mar 31, 2015 at 11:18 AM, Rich Haase
<[email protected]<mailto:[email protected]>> wrote:
Could someone please explain to me the cause of this error? I’m assuming this
is some sort of simple configuration mistake on my part, but I’ve not been able
to find any documentation that explains the SSL setup sufficiently.
======
Connection Failed.
Exception on REST call to KnoxUrl :
https://<host>:8443/gateway/admin/api/v1/topologies. You can still save the
repository and start creating policies, but you would not be able to use
autocomplete for resource names. Check xa_portal.log for more info.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No name matching <host> found.
java.security.cert.CertificateException: No name matching <host> found.
No name matching <host> found.
=====
I’ve replaced "<host>" with the actual hostname in the error messages.
Thanks,
Rich
