Enabling/Renewing SSL for Self-signed Certificates
A self-signed certificate is created, signed, and issued by the subject of the certificate. In Big Data Service clusters with version 3.0.7 and later, you can use the Big Data Service certificate utility tool to generate self-signed SSL certificates for ODH clusters.
Note
Enable/Renew SSL are the same in Big Data Service ODH, and if certificates are expired, the entire set of certificates must be regenerated using the regular SSL enablement process. We recommend creating a notification based on the certificate expiration time. For more information, see Creating an Alarm.
Enable/Renew SSL are the same in Big Data Service ODH, and if certificates are expired, the entire set of certificates must be regenerated using the regular SSL enablement process. We recommend creating a notification based on the certificate expiration time. For more information, see Creating an Alarm.
-
SSH to the first master node (mn0) of the ODH cluster node as
opcuser. -
Edit
/home/opc/cloud/flask-microservice/cert_util/conf/bds-certs.conf.Example:
vi /home/opc/cloud/flask-microservice/cert_util/conf/bds-certs.confSample file:
# Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. # [BDS_CERT_CONFIGS] #This files defines all the SSL certificate related configurations used in BDS cluster #Whether custom certificate or not CUSTOM_CERTIFICATE=false #Recommended SSL services, Mostly all the customer facing UI services #Allowed values AMBARI,RANGER,HUE,DATASTUDIO,LIVY DEFAULT_SSL_SERVICES=AMBARI #Comma separated service names for enabling SSL, These are the additional components from ambari UI to enable/disable SSL. #Allowed values ZOOKEEPER,AMS,HDFS,YARN,MAPREDUCE,OOZIE,HBASE,SPARK,HIVE,KAFKA,FLINK,REGISTRY ADDITIONAL_SSL_SERVICES=NONE #Whether to restart all the required services after certificate deployment RESTART_REQUIRED_SERVICES=false #Certificate validity in days. Mostly used for self signed certificates CERTIFICATE_VALIDITY=180 #Bits to be used for certificate generation. Mostly used for self signed certificates CERTIFICATE_BITS=3072 #Algorithm to be used for generating self signed certificate CERTIFICATE_ALGORITHM=sha256 #Default path to store all the certificate, keys and keystore. Same path will be used for hadoop credential store CERT_PATH=/etc/security/serverKeys #Temporary certificate directory. Will be used before applying the certificate TEMP_CERT_PATH=/etc/security/serverKeys_new #Initital certificate generation path. Used only when generating self signed certificates CERT_GEN_FOLDER=/etc/security/serverKeys_cert_gen #Secure password location. This location will be used only during transaction CERT_PASS_PATH=/etc/security/certPass #Whether to take backup when doing certificate renewal. Mostly used for self signed certificates KEEP_OLD_CERTS=true #Set this flag incase utility used for older cluster. It will update the keystore path along with other properties LEGACY_CLUSTER=false #Set Keystore type KEYSTORE_TYPE=jks #This is completely owned by oracle. Leave this field unchanged ORACLE_OWNED_ROOT_CERTIFICATE_NAME=bdsOracleCA.crt ORACLE_OWNED_ROOT_CERTIFICATE_KEY_NAME=bdsOracleCA.key #Final trust bundle that contains all the trust certificates. #Including all public ca root certs, oracle owned root certs and customer specified root certs. #This will be saved in CERT_PATH. Leave this field untouched TRUST_CERTS_BUNDLE_NAME=oraclerootCA.crt #Root Certificate related details ROOT_CERT_PATH=/etc/security/serverKeys/bdsOracleCA.crt #Server certificate details SERVER_CERT_PATH="NONE" SERVER_CERT_KEY_PATH="NONE" #Support for LDAPS LDAP_URL=NONENote
Root/Issuer certificate of a self signed certificate can be found in the pathCERT_PATHwith nameORACLE_OWNED_ROOT_CERTIFICATE_NAME in all the nodes of the cluster. -
Update the
ADDITIONAL_SSL_SERVICESproperty with the services that you want to enable SSL for. The default value for this property isNONE. The allowed values areAMS,HDFS,YARN,MAPREDUCE,OOZIE,HBASE,SPARK,ZOOKEEPER,HIVE,KAFKA,FLINK, andREGISTRY. We recommend you enable SSL for all required services in one go by using a comma-separated list of the services. -
Update LDAP_URL to point to LDAP server URL (applicable for secure LDAP only), if the ODH cluster is integrated with LDAP/AD.
Example:
LDAP_URL=ldaps://<myldap.com:636>This automatically pulls the required certificates to the ODH truststore.
-
Update the
RESTART_REQUIRED_SERVICESproperty value totrue, if you want this utility to restart the services. The default value for this property isfalse. If you retain the default value, you need to manually restart all the affected services from Apache Ambari to complete enabling SSL for the cluster.Irrespective of the value of this property, few services like Apache Ambari and Datastudio are immediately restarted when you enable certificates using this utility. -
Retain the default value
truefor theKEEP_OLD_CERTSproperty to keep a backup of the old certificates. Certificate backups are stored at/etc/security/serverKeys-backup-<dateofbackup>. -
If the cluster version is 3.0.6 or lower, set the
LEGACY_CLUSTERproperty value astrueto update the SSL properties in the cluster. Skip this step if the cluster version is 3.0.7 or later. - Save the changes made to the configuration file.
-
Run the utility to enable the SSL certificates. If you don't use the
ambariPassparameter, you're prompted to enter the Ambari password.sudo bds_cert_util --enable --ambariPass ambari-passwordNote
If the Ambari password contains special character, put password in single quotes.Example:
sudo bds_cert_util --enable --ambariPass '<ambari-password>' Example:- ## sudo bds_cert_util --enable --ambariPass 'Welcome@879'Note
After the certificate is renewed, be sure the renewed certificates are updated on the system. For example, if Big Data Service certificates are added in any Load Balancer, after renewal, the new root certificate must be updated into the Load Balancer. - Wait for the utility to complete.
-
Review the utility logs from
/home/opc/cloud/flask-microservice/logs/bds_cert_util*.log. -
After the utility runs successfully, all configured services run on SSL. To verify if the services are enabled for SSL, sign-in to Apache Ambari and click the quicklinks under each of the configured services.
Note
After renewing the SSL certificates for the Big Data Service cluster, if the JupyterHub service isn't using the latest certificates, restart JupyterHub service.- Sign-in to the JupyterHub node (use un1 for HA clusters or un0 for non-HA clusters).
- Restart the JupyterHub service:
systemctl restart jupyterhub.service - Verify the status of the JupyterHub service:
systemctl status jupyterhub.serviceThis ensures that the JupyterHub service is using the updated SSL certificates.