Add SSL certificate for Knox Gateway
When Knox-powered Gateway is enabled, use these steps if you would like to add an SSL certificate for Ambari and/or other cluster UIs exposed through the Gateway.
Steps
- Obtain a trusted SSL certificate.
- If needed, perform the following to make sure that your certificate is compatible with the
      Gateway:- If the certificate is not already in p12 format, export the certificate into p12 format.
       For example:
       openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name gateway-identity -password pass:$mastersecret
- Ensure that the certificate alias is “gateway-identity”.
- Ensure that the store password matches the master secret created earlier. You can obtain
       the master secret of the Knox by using the following
       command:cat /srv/pillar/gateway/init.sls | grep mastersecret
- Note the key password used – as you need to create an alias for this password.
 
- If the certificate is not already in p12 format, export the certificate into p12 format.
       For example:
       
- Access the cluster's master node via ssh.
- Obtain root access by using sudo su.
- Use keytool to import the desired certificate/key pair into the java keystore that Knox is
     using. You can find the java keystore the following path:/usr/hdp/current/knox-server/data/security/keystores/gateway.jksExample command for importing your certificate into the jks: keytool -importkeystore -deststorepass $mastersecret -destkeypass $mastersecret -destkeystore gateway.jks -srckeystore /usr/hdp/current/knox-server/data/security/keystores/custom_certs/identity.p12 -srcstoretype PKCS12 -srcstorepass $mastersecret -alias gateway-identity
- Restart Knox by using the following
      command:/usr/hdp/current/knox-server/bin/gateway.sh stopThis command stops Knox, but systemd automatically restarts it. To validate that it is restarted, use: netstat -tlpn | grep 8443Here is example output showing that the restart was successful: netstat -tlpn | grep 8443 tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 13177/java
- Using your web browser, access the Ambari web UI.
- Confirm that the connection is SSL-protected and that the certificate used is the certificate that you provided.

