Skip to content

Configure CA-Signed Certificate for Privacera Plugin

This topic provides instructions to use a Certificate Authority (CA) Signed Certificate instead of a Self-Signed Certificate for communicating with Ranger.

Configuration

  1. SSH to the instance as ${USER}.

  2. Remove ranger-plugin-keystore.p12 or ranger-plugin-keystore.jks file from config/ssl folder, if it exists.

  3. Copy the following keys to the location ~/privacera/privacera-manager/config/ssl:

    • Signed PEM Full Chain
    • Signed PEM Private Key

  4. Open the vars.ssl.yml file.

    cd ~/privacera/privacera-manager
vi config/custom-vars/vars.ssl.yml

  5. Add the following properties:

    RANGER_PLUGIN_SSL_SELF_SIGNED: "false"
RANGER_PLUGIN_SSL_SIGNED_PEM_FULL_CHAIN: "<PLEASE_CHANGE>"
RANGER_PLUGIN_SSL_SIGNED_PEM_PRIVATE_KEY: "<PLEASE_CHANGE>"
RANGER_PLUGIN_SSL_SIGNED_CERT_FORMAT: "pem"

  6. Save and Exit.

  7. Run the following command:

    mkdir -p ~/privacera/backup
cd ~/privacera/privacera-manager
mv config/ssl/ranger-plugin-keystore.* ~/privacera/backup/

  8. Run the following command:

    cd ~/privacera/privacera-manager
./privacera-manager.sh update

Note

The Common Name for a certificate should be the same as the CN name of the CA-signed certificate, which requires manual changes to all service definitions.