Enable HTTPS in Ranger#

Prerequisites#

Required Ports#

Open inbound port 6182 in the security group attached to your instance.

Port	Service
6182	Apache Ranger Admin

Install or confirm installation of Java on your VM instance hosting Ranger and Dataserver Docker.

Install Java#

sudo yum install java-1.8.0 -y

Generate self-signed certificates for Ranger with Privacera#

cd ~/privacera/docker
vi .env

# Set below properties
RANGER_SSL_ENABLE=true
RANGER_URL=https://localhost:6182

If you are using Privacera self-signed certificates, you can directly navigate to Restart Ranger.

Enable HTTPS Using Certificates#

Open the docker .env file for edit:
```
cd ~/privacera/docker
vi .env
```
Set properties.

RANGER_SSL_ENABLE=true RANGER_SELF_SIGNED_CERT=false RANGER_URL=https://localhost:6182 cd ~/privacera/docker mkdir ranger_certs cd ranger_certs
Create jceks file for Ranger plugins. SSH to any of existing EMR Cluster and execute the following:

hadoop credential create sslKeyStore -value ${RANGER_ADMIN_KEYSTORE_PASSWORD} -provider localjceks://file/tmp/ranger.jceks hadoop credential create sslTrustStore -value ${RANGER_ADMIN_TRUSTSTORE_PASSWORD} -provider localjceks://file/tmp/ranger.jceks
Copy the ranger.jceks file to the ec2 ‘\~/privacera/docker/ranger_certs’ directory.
Create a certificate keystore file and copy it to the certificate keystore file in \~/privacera/docker/ranger_certs.
```
cd ~/privacera/docker/ranger_certs
```

Rename Certificate Keystore File

cp ${YOUR_CERTIFICATE_KEYSTORE} ranger-admin-keystore.jks
cp ${YOUR_CERTIFICATE_KEYSTORE} ranger-plugin-keystore.jks

Generate Required Truststore and Certificate files from given Keystore

keytool -export -keystore ranger-admin-keystore.jks -alias ${RANGER_ADMIN_KEYSTORE_ALIAS} -file ranger-admin-trust.cer -storepass ${RANGER_ADMIN_KEYSTORE_PASSWORD}

keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks -storepass ${RANGER_PLUGIN_TRUSTSTORE_PASSWORD} -noprompt

keytool -export -keystore ranger-plugin-keystore.jks -alias ${RANGER_PLUGIN_KEYSTORE_ALIAS}  -file ranger-s3Agent-trust.cer -storepass ${RANGER_PLUGIN_KEYSTORE_PASSWORD}

keytool -import -file ranger-s3Agent-trust.cer -alias trustStoreAlias -keystore ranger-admin-truststore.jks -storepass ${RANGER_ADMIN_TRUSTSTORE_PASSWORD}  -noprompt

Copy the jks and cert files shown below to the ranger configuration directory:

mkdir -p ~/privacera/docker/ranger/admin/conf/
cp ~/privacera/docker/ranger_certs/ranger-admin-keystore.jks ~/privacera/docker/ranger/admin/conf/ranger-admin-keystore.jks
cp ~/privacera/docker/ranger_certs/ranger-plugin-keystore.jks ~/privacera/docker/ranger/admin/conf/ranger-plugin-keystore.jks
cp ~/privacera/docker/ranger_certs/ranger-admin-trust.cer ~/privacera/docker/ranger/admin/conf/ranger-admin-trust.cer
cp ~/privacera/docker/ranger_certs/ranger-s3Agent-trust.cer ~/privacera/docker/ranger/admin/conf/ranger-s3Agent-trust.cer
cp ~/privacera/docker/ranger_certs/ranger-admin-truststore.jks ~/privacera/docker/ranger/admin/conf/ranger-admin-truststore.jks
cp ~/privacera/docker/ranger_certs/ranger-plugin-truststore.jks ~/privacera/docker/ranger/admin/conf/ranger-plugin-truststore.jks

Copy the jks and cert files to the dataserver configuration directory:

cp ~/privacera/docker/ranger_certs/ranger-plugin-keystore.jks ~/privacera/docker/dataserver/conf/ranger-plugin-keystore.jks
cp ~/privacera/docker/ranger_certs/ranger-s3Agent-trust.cer ~/privacera/docker/dataserver/conf/ranger-s3Agent-trust.cer
cp ~/privacera/docker/ranger_certs/ranger-plugin-truststore.jks ~/privacera/docker/dataserver/conf/ranger-plugin-truststore.jks
cp ~/privacera/docker/ranger_certs/ranger.jceks ~/privacera/docker/dataserver/conf/ranger.jceks

Set up Ranger configuration properties.

cd ~/privacera/docker
Create properties file in ranger/admin if it doesn't already exist, and open it for edit.

cp ranger/admin/sample.install.properties ranger/admin/install.properties vi ranger/admin/install.properties
Add/Update the properties

javax_net_ssl_keyStore=/opt/ranger/ranger-1.2.1-SNAPSHOT-admin/overrideconf/ranger-admin-keystore.jks javax_net_ssl_keyStorePassword=${RANGER_ADMIN_KEYSTORE_PASSWORD} javax_net_ssl_trustStore=/opt/ranger/ranger-1.2.1-SNAPSHOT-admin/overrideconf/ranger-admin-truststore.jks javax_net_ssl_trustStorePassword=${RANGER_ADMIN_TRUSTSTORE_PASSWORD} policymgr_external_url=https://localhost:6182 policymgr_http_enabled=false policymgr_https_keystore_file=/opt/ranger/ranger-1.2.1-SNAPSHOT-admin/overrideconf/ranger-admin-keystore.jks policymgr_https_keystore_keyalias=${RANGER_ADMIN_KEY_ALIAS} policymgr_https_keystore_password=${RANGER_ADMIN_KEYSTORE_PASSWORD}

Restart Ranger#

   cd ~/privacera/docker
   ./privacera_services restart ranger

Restart Dataserver#

If Privacera Dataserver is installed on an EC2 instance restart it.

 cd ~/privacera/docker
 ./privacera_services restart dataserver

Configure Ranger Plugin Repositories#

Open a web browser window to the Ranger UI (${RANGER_HOST}:${RANGER_PORT}). The Ranger login page displays.
Click Sign In.

The Ranger home page displays.
Click a plugin repository edit icon.

Example: privacera_s3

The Ranger Edit Service page displays.
On the Ranger Edit Service page, under Config Properties, in the Common Name for Certificate field, enter Config Properties Common Name for Certificate = ${YOUR_CN}

${YOUR_CN} = In case of Privacera generated self-signed certificates, enter ${YOUR_CN} = Ranger
Enter the Name and Value in Add New Configurations field.
- Name = policy.download.auth.users
- Value = root
Click Save.

Ranger Plugin Repositories are configured and ready for use.

Enable HTTPS from the Privacera Portal#

To enable HTTPS on the Privacera portal, you need two files: keystore.jks and truststore.jks. In SSL handshake, the purpose of keyStore is to provide credentials and trustStore is required to verify the credentials.

Create Certificate Files#

Get the required certificates files yourself or create them by following steps.

To have end to end SSL enabled, SSL should be enabled at Ranger as well. For more information refer to Enable HTTPS on Privacera Ranger guide.

Create directory for certificate files.

ssh ${EC2_INSTANCE}
cd ~/privacera/docker
mkdir privacera_certs

Generate the KeyStore file using Java keytool.

This command will give you file privacera-keystore.jks.

sudo yum install java-1.8.0-openjdk
keytool -genkey -alias privacera-alias -keyalg RSA -keypass changeit -storepass changeit -keystore privacera-keystore.jks

Generate the TrustStore file (privacera-truststore.jksusing Java keytool.

This command will give you file

keytool -export -keystore privacera-keystore.jks -alias privacera-alias -file privacera-trust.cer -storepass changeit
keytool -import -file privacera-trust.cer -alias privacera-alias -keystore privacera-truststore.jks -storepass changeit -noprompt
cp privacera-truststore.jks ~/privacera/docker/privacera_certs

Enable HTTPS#

Enable the portal SSL using the files generated in the steps above:

Copy privacera-keystore.jks to the privacera configuration folder.

ssh ${EC2_INSTANCE}
cd ~/privacera/docker
cp privacera-keystore.jks privacera/portal/conf/

Copy ranger-admin-trust.cer to classpath.

cp ~/privacera/docker/ranger/admin/conf/ranger-admin-trust.cer ~/privacera/docker/privacera/portal/conf/

Open for edit the portal custom properties file:

vi ~/privacera/docker/privacera/portal/conf/application-custom.properties

Revise properties.

To use the Cazena SSL set the properities as follows:

#zuul.routes.ranger.url=https://ranger:6182 
server.ssl.enabled=true 
server.ssl.key-alias=1 
server.ssl.key-store=/opt/privacera/portal/conf/cz_server_keystore.jks 
server.ssl.key-store-password=xxxxxx 
server.ssl.keyStoreType=JKS 
#ranger.truststore.cert.path=/opt/privacera/portal/conf/ranger-admin-trust.cer

To use standard Privacera SSL, set these properties.

zuul.routes.ranger.url=https://ranger:6182
server.ssl.enabled=true
server.ssl.key-alias=privacera-alias
server.ssl.key-store=/opt/privacera/portal/conf/privacera-keystore.jks
server.ssl.key-store-password=changeit
server.ssl.keyStoreType=JKS
ranger.truststore.cert.path=/opt/privacera/portal/conf/ranger-admin-trust.cer
ranger.truststore.cert.alias=ranger-admin
java.cacerts.password=changeit

Restart Privacera.

./privacera_services restart privacera
Open Ranger Portal in the browser ({RANGER_HOST}:6868).

Update EC2 Privacera Dataserver in order to access the HTTPS portal.

Copy privacera-truststore.jks to the Dataserver configuration folder.

ssh ${EC2_INSTANCE}
cd ~/privacera/docker
cp privacera_certs/privacera-truststore.jks dataserver/conf/

Update properties.

vi dataserver/conf/privacera_dataserver.properties
dataserver.portal.baseurl=https://privacera:6868
dataserver.ssl.key-store = /workdir/privacera-data-server/conf/privacera-truststore.jks
dataserver.ssl.key-store-password = changeit

Restart Privacera Dataserver.

./privacera_services restart dataserver