Setup custom key/certificate/keystore (optional, not needed if it has done already, ambari-server generates these during first start):

cd /var/lib/ambari-server/keys/
echo "mypass" > mypass.txt
openssl genrsa -out my.key 2048
openssl req -new -key my.key -out my.csr -subj '/C=US/ST=Oregon/L=Portland/CN=myname/'
openssl x509 -req -days 365 -in my.csr -signkey my.key -out my.crt
openssl pkcs12 -export -in '/var/lib/ambari-server/keys/my.crt' -inkey '/var/lib/ambari-server/keys/my.key' -certfile '/var/lib/ambari-server/keys/my.crt' -out '/var/lib/ambari-server/keys/my.keystore.p12' -password file:'/var/lib/ambari-server/keys/mypass.txt'

Run 'ambari-server setup-security' with option [1] (setup-https):

Do you want to configure HTTPS [y/n] (y)? y
SSL port [8443] ? 
Enter path to Certificate: /var/lib/ambari-server/keys/my.crt
Enter path to Private Key: /var/lib/ambari-server/keys/my.key
Please enter password for Private Key: ****

Based on the inputs, It will generate https.key, https.crt and https.keystore.p12 under the '/var/lib/ambari-server/keys' directory. These will be used for HTTPS.


Currently Ambari can use only 1 custom truststore at a time, therefore it is needed to merge the certificates into 1 truststore.

Get the LDAPS certificate, if you do not have the certificate locally e.g. for self signed, you can download it:

openssl s_client -connect -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ldapserver.pem

Create a JKS keystore from the https.keystore.p12 keystore: (in the end, HTTPS/LDAPS will use https.keystore.jks)

keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -deststorepass changeit

Convert LDAPS certificate to DER format and Import LDAPS certificate to the truststore:

openssl x509 -outform der -in ldapserver.pem -out ldapserver.der
keytool -import -alias ldap -keystore https.keystore.jks -file ldapserver.der

Run 'ambari-server setup-ldap' command, e.g.:

Setting up LDAP properties...
Primary URL* {host:port} :
Secondary URL : 
Use SSL* [true/false] (true):
User object class* (person):
User name attribute* (uid): 
Group object class* (posixGroup):
Group name attribute* (cn):
Group member attribute* (memberUid):
Base DN* : dc=apache,dc=org
Bind anonymously* [true/false] (false):     
Manager DN* : uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
Enter Manager Password* : hdfs
Re-enter password: hdfs
Do you want to provide custom TrustStore for Ambari [y/n] (n)? y
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/var/lib/ambari-server/keys/https.keystore.jks
Password for TrustStore:
Re-enter password:
Save settings [y/n] (y)? y

Add these properties to file:


(Optional) instead of the steps above, JDK default keystore can be used here as a truststore: (same for https certificate)

openssl x509 -in ldapserver.pem -out ldapserver.crt
/usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file ldapserver.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts

Finally, run:

ambari-server restart




  • No labels