Question & Answer
Question
IBM BigInsights: How to generate self signed certificate for Knox containing keys greater than 2048 bits and signed using stronger hashing algorithm ?
Cause
The default keystore and self signed certificate provided by knox has a keysize of 1024 bits and is signed using hashing algorithm SHA1 which is considered as weak.
Answer
a) Create the self signed certificate with same alias and password (knox master secret) as knox default keystore , using 2048 bit keys and SHA256 algorithm for hashing , following is an example output
keytool -genkeypair -alias gateway-identity -keyalg RSA -keysize 2048 -keystore gateway.jks -validity 300 -sigalg SHA256withRSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: knoxserver1.ibm.com
What is the name of your organizational unit?
[Unknown]: BI
What is the name of your organization?
[Unknown]: IBM
What is the name of your City or Locality?
[Unknown]: San Jose
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=knoxserver1.ibm.com, OU=BI, O=IBM, L=San Jose, ST=CA, C=US correct?
[no]: yes
Enter key password for <gateway-identity>
(RETURN if same as keystore password):
b) Take a backup of existing gateway.jks and overwrite the generated keystore to knox default keystore location
cp gateway.jks /var/lib/knox/data-4.2.0.0/security/keystores/gateway.jks
c) Restart knox.
Verification
--
a) Access namenode UI using Quick Links from Ambari and verify the certificate details by clicking on lock icon from your browser address bar.
Was this topic helpful?
Document Information
Modified date:
18 July 2020
UID
swg22003238