Back

Knox

Testing Knox

Testing access via Knox using WebHDFS

curl -iku root:hadoop -X GET 'https://node4:8443/gateway/default/webhdfs/v1/user?op=LISTSTATUS'

Create a directory in the root home directory

curl -iku root:hadoop -X PUT 'https://node4:8443/gateway/default/webhdfs/v1/user/root/knox-history?op=MKDIRS'

knox configuration

  • Logs are not configured. Simply update the symbolic link from /usr/hdp/current/knox-server/logs
  • Topologies


knox certificates

By default ambari installs a self signed certificate into knox during installation.
This should ideally be replaced with a valid production certificate where applicable.
Knox uses 2 key files to manage the externally facing certificate;

/usr/hdp/current/knox-server/data/security/keystores/gateway.jks
- contains the certificate and private key
- certificate must be installed with the alias name "gateway-identity"
/usr/hdp/current/knox-server/data/security/keystores/__gateway-credentials.jceks
- contains the password to the gateway.jks stored as a secret entry
- entry is stored as an alias called "gateway-identity-passphrase"

To replace the certificate follow this process;
- Start with your crt and key in pem format files (ie. mycert.crt & mycert.key)
1. Remove passphrase from key file

openssl rsa -des3 -in mycert.key -out mycert.key.org

2. Create pkcs12 file with cert created as alias “gateway-identity”

openssl pkcs12 -export -in mycert.crt -inkey mycert.key.org -name gateway-identity >gateway-identity.p12

3. Create gateway.jks from step 3

keytool -importkeystore -srckeystore gateway-identity.p12 -destkeystore gateway.jks  -srcstoretype pkcs12 -alias gateway-identity -destalias gateway-identity

4. Copy the gateway.jks to /usr/hdp/current/knox-server/data/security/keystores/gateway.jks

At this stage you only need to update the entry in __gateway-credentials.jceks with the password to the gateway.jks file. This should be the password used in step 1.

cd /usr/hdp/current/knox-server/bin
./knoxcli.sh delete-alias gateway-identity-passphrase
./knoxcli.sh create-alias gateway-identity-passphrase --value <password>

Knox can now be restarted.

Credentials Keystore Corruption

In order for knox to read the gateway.jks file it must have an entry in __gateway-credentials.jceks.
However, knox also needs to know how to open the __gateway-credentials.jceks file !!!
If this file get's corrupted it can be recreated.

1. Use the gateway.jks as a template to create a new JCEKS file.

keytool -importkeystore -srckeystore gateway.jks -srcstorepass <password> -destkeystore __gateway-credentials.jceks -deststoretype JCEKS -deststorepass <password>

keytool -delete -alias gateway-identity -keystore __gateway-credentials.jceks -storetype JCEKS -storepass <password>

2. Force knox to use a new master password which is the password to the credentials file.

./knoxcli.sh create-master --force

3. Now create the password entry in the credentials file.

./knoxcli.sh create-alias gateway-identity-passphrase --value <password>