Rich, seems you are using self-signed certificates at Knox. If that is the
case, you might have to do the following.
* cd /var/lib/knox/data/security/keystores/
* Keytool exportcert alias gateway-identity keystone gateway.jks file
~/knox.crt
> * Return on password prompt
* cd ~
* . /etc/ranger/admin/conf/java_home.sh
* cp $JAVA_HOME/jre/lib/security/cacerts cacerts.withknox
* keytool import trustcacerts file knox.crt alias knox keystore
cacerts.withknox
* cp cacerts.withknox /etc/ranger/admin/conf
* cd /etc/ranger/admin/conf
* vi ranger-admin-env-knox_cert.sh
>> #!/bin/bash
>>
>> certs_with_knox=/etc/ranger/admin/conf/cacerts.withknox
>> export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=${certs_with_knox}²
>>
* chmod x+a ranger-admin-env-knox_cert.sh
* service ranger-admin stop
* service ranger-admin start
* ps ef | grep proc_rangeradmin (verify that javax.net.ssl.trustStore
property was applied)
* Configure Knox repo in Ranger UI using URL -
https://{ranger-ui-server}:8443/gateway/admin/api/v1/topologies/
If this works for you, I can update the document accordingly.
Thanks
Bosco
From: Rich Haase <[email protected]>
Reply-To: "<[email protected]>"
<[email protected]>
Date: Tuesday, March 31, 2015 at 3:35 PM
To: "<[email protected]>" <[email protected]>
Subject: Re: Error from "Test Connection" setting up ranger-knox-plugin in
policy manager
> Sure. I'll open a JIRA and I'll include the detailed logs from xa_portal.log.
> I have noticed that the policies I've created for Knox work perfectly. The
> ranger admin just can't lookup topology information for autofilling on the
> policy creation screens. Not tragic, but definitely functionality that would
> be nice.
>
> Sent from my iPhone
>
> On Mar 31, 2015, at 4:25 PM, Balaji Ganesan <[email protected]> wrote:
>
>> We should look into that. Can you create a JIRA on this?
>>
>> Note that repository connection for resource name look up from the policy
>> manager. You can still save the repository and start creating policies.
>>
>> On Tue, Mar 31, 2015 at 11:18 AM, Rich Haase <[email protected]> wrote:
>>> Could someone please explain to me the cause of this error? I¹m assuming
>>> this is some sort of simple configuration mistake on my part, but I¹ve not
>>> been able to find any documentation that explains the SSL setup
>>> sufficiently.
>>>
>>> ======
>>> Connection Failed.
>>> Exception on REST call to KnoxUrl :
>>> https://<host>:8443/gateway/admin/api/v1/topologies. You can still save the
>>> repository and start creating policies, but you would not be able to use
>>> autocomplete for resource names. Check xa_portal.log for more info.
>>>
>>> javax.net.ssl.SSLHandshakeException:
>>> java.security.cert.CertificateException: No name matching <host> found.
>>> java.security.cert.CertificateException: No name matching <host> found.
>>> No name matching <host> found.
>>>
>>> =====
>>>
>>> I¹ve replaced "<host>" with the actual hostname in the error messages.
>>>
>>>
>>> Thanks,
>>>
>>> Rich
>>
