1. Create a certificate directory
root@hadoop01[/etc/ambari-server]#mkdir /etc/ambari-server/certs
root@hadoop01[/etc/ambari-server]#cd /etc/ambari-server/certs/
root@hadoop01[/etc/ambari-server/certs]#export AMBARI_SERVER_HOSTNAME=hadoop01
2, generates a certificate
root@hadoop01[/etc/ambari-server/certs]#openssl genrsa -passout pass:hadoop -out $AMBARI_SERVER_HOSTNAME.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
........................+++
e is 65537 (0x10001)
root@hadoop01[/etc/ambari-server/certs]# openssl req -new -key $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:hadoop01
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ambari
An optional company name []:ambari
root@hadoop01[/etc/ambari-server/certs]#openssl x509 -req -days 3650 -in $AMBARI_SERVER_HOSTNAME.csr -signkey $AMBARI_SERVER_HOSTNAME.key -out $AMBARI_SERVER_HOSTNAME.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=hadoop01
Getting Private key
root@hadoop01[/etc/ambari-server/certs]#ll
总用量 12
-rw-r--r-- 1 root root 1151 1月 19 10:49 hadoop01.crt
-rw-r--r-- 1 root root 1041 1月 19 10:49 hadoop01.csr
-rw-r--r-- 1 root root 1679 1月 19 10:47 hadoop01.key
3, installation
root@hadoop01[/etc/ambari-server/certs]#ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)?
SSL port [8443] ?
Enter path to Certificate: /etc/ambari-server/certs/hadoop01.crt
Enter path to Private Key: /etc/ambari-server/certs/hadoop01.key
Please enter password for Private Key:
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start")
root@hadoop01[/etc/ambari-server/certs]#
4, restart ambari-server
root@hadoop01[/etc/ambari-server/certs]#ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start.......................
Server started listening on 8443
DB configs consistency check found warnings. See /var/log/ambari-server/ambari-server-check-database.log for more details.
You can see the listening port has become 8443.
root@hadoop01[/etc/ambari-server/certs]#cat /etc/ambari-server/conf/ambari.properties
5, import truststore
root @ hadoop01 [/ etc / ambari -server / certs] #keytool -import -file /etc/ambari-server/certs/hadoop01.crt -alias ambari-server -keystore ambari-server-truststore
input keystore password:
again enter the new password:
owner: CN = hadoop01, O = Default Company Ltd, L = Default City, C = XX
publisher: CN = hadoop01, O = Default Company Ltd, L = Default City, C = XX
serial number: adb4d9e923ccd8e2
valid for Sun Jan 19 10:49:43 CST 2020 to Wed Jan 16 10:49:43 CST 2030
certificate fingerprint:
MD5: 16: 0C: 6A: CC: 89: 9F:. 5B: FF: 10: BB: B3: 4C: 08: 88: E4: 8F
SHAl: 82: the CA: 03: 9E: C5: EB: B9: 10: CF2: D6:. 8A: B6: Dl: DD: 94: 87: D4: 10: 20 is: ED
SHA256: 6F: 40: 1E: E9: F5: 46: 83: BF: DB: CD: 85: 60: 23: 14: 28: 71: 74: D7: 36: 19: BC: F6: 58: E7: 11: 3F: 56: EF: 17: 3C: E7: 20
signature algorithm name: SHA256withRSA
main public-key algorithms: RSA 2048 key
Version: 1
whether to trust this certificate [No]:? Y
certificate has been added to the key store
root @ hadoop01 [/ etc / ambari -server / certs] #
It will be in the / etc / ambari-server / certs directory generate a ambari-server-truststore file.
root @ hadoop01 [/ etc / ambari -server / certs] #ll
total volume of 16
-rw-R & lt - r--. 1. 1 the root 880 dated the root-Server-ambari 10:56. 19 trustStore
-rw-R & lt - R- - 1 ambari root 1151 10:49 hadoop01.crt 1 Yue 19
-rw-r - r-- 1 root ambari 1041 10:49 hadoop01.csr 1 Yue 19
-rw-r - r-- 1 root ambari 1679 1 May 19 10:47 hadoop01.key
root@hadoop01[/etc/ambari-server/certs]#ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/etc/ambari-server/certs/ambari-server-truststore
Password for TrustStore:
Re-enter password:
Ambari Server 'setup-security' completed successfully.
6、重启ambari-server
root@hadoop01[/etc/ambari-server/certs]#ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start.......................
Server started listening on 8443
DB configs consistency check found warnings. See /var/log/ambari-server/ambari-server-check-database.log for more details.
root@hadoop01[/etc/ambari-server/certs]#
7, see ambari-server status
root@hadoop01[/etc/ambari-server/certs]#ambari-server status
Using python /usr/bin/python
Ambari-server status
Ambari Server running
Found Ambari Server PID: 21699 at: /var/run/ambari-server/ambari-server.pid
root@hadoop01[/etc/ambari-server/certs]#
8, front page verification
Username Password with the original, the default admin / admin
