Configuring the Db2 Big SQL Ranger plugin for SSL using public CA certificates
Use the following steps to configure the Db2® Big SQL Ranger plugin for SSL using public CA certificates.
Before you begin
- You have enabled the Big SQL Ranger plugin. For instructions, see Enabling and disabling Ranger security support for Db2 Big SQL.
- You have configured Ranger Admin for SSL. For instructions see Security.
- Root and intermediate certificates are installed on your hosts, or you have added root and
intermediate certificates to the default Java™ keystore
"cacerts" on the hosts for Ranger Admin and the Db2 Big SQL
head node. For
example:
keytool -import -file carootcert.der -alias carootcert -keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts -storepass changeit keytool -import -file caintermediatecert.der -alias caintermediatecert -keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts -storepass changeit
- You have keystore and truststore files for Ranger Admin and other Ranger plugins. For example,
you might have the following files:
- server-keystore.jks - the keystore file that is used by Ranger Admin
- agent-keystore.jks - the keystore file that is used to store agent (plugin) keys and the certificate
- agent-truststore.jks - the plugin truststore that is used to store server certificates
- Optional: Although not necessary for enabling SSL for the Db2 Big SQL Ranger plugin, in order to have the Ranger user sync functions working
properly in an SSL-enabled setup for Ranger, ensure that you have configured Ranger Usersync for
SSL. For instructions, see Configuring Ranger Usersync in the Hortonworks
documentation.Note: The documents linked above are for HDP 2.6.5. Refer to the version of HDP appropriate to your environment.
Procedure
In the following procedure, complete commands are provided for the setup. You can change some values such as file names and passwords.
Example
This complete example shows how to set up SSL for Ranger Admin and the Db2 Big SQL plugin, including how to create keystores and truststores for a CA certificate. The example assumes that the Db2 Big SQL head is installed on the same node as Ranger Admin.
Prerequisite: Add root and intermediate certificates to the default Java keystore "cacerts"
keytool -import -file carootcert.der -alias carootcert
-keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts -storepass changeit
keytool -import -file caintermediatecert.der -alias caintermediatecert
-keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts -storepass changeit
- Download the PKCS7b (.pem) certificate file.
- Secure copy (scp) the certificate file to the server.
- Run the following
commands:
cp cert.pem cert.p7b openssl pkcs7 -print_certs -in cert.p7b -out cert.cer openssl pkcs12 -export -in cert.cer -inkey bigcentos1_fyre_ibm_com.key -out rangeradmin.p12 -name rangeradmin
- Create a keystore for the Ranger Admin service from the
certificate:
You should now have the generated ranger-admin-keystore.jks keystore file.keytool -importkeystore -deststorepass temp4now -destkeypass temp4now -srckeystore rangeradmin.p12 -srcstoretype PKCS12 -destkeystore ranger-admin-keystore.jks -deststoretype JKS -alias rangeradmin
- Run the following
commands:
cp ranger-admin-keystore.jks /etc/ranger/admin/conf/ cd /etc/ranger/admin/conf/
- Set
permissions:
chown ranger:ranger ranger-admin-keystore.jks chmod 400 ranger-admin-keystore.jks
- Run the following command on the Db2 Big SQL head node
host:
mkdir /etc/bigsql/conf
- Generate another keystore for the Db2 Big SQL
plugin:
You should now have the generated bigsql-plugin-keystore.jks keystore file.openssl pkcs12 -export -in cert.cer -inkey bigcentos1_fyre_ibm_com.key -out bigsqlplugin.p12 -name bigsqlplugin keytool -importkeystore -deststorepass temp4now -destkeypass temp4now -srckeystore bigsqlplugin.p12 -srcstoretype PKCS12 -destkeystore bigsql-plugin-keystore.jks -deststoretype JKS -alias bigsqlplugin
- Run the following
command:
cp bigsql-plugin-keystore.jks /etc/bigsql/conf/
- Set
permissions:
cd /etc/bigsql/conf/ chown bigsql:hadoop bigsql-plugin-keystore.jks chmod 400 bigsql-plugin-keystore.jks
- Export the rangeradmin.cer
file:
keytool -export -keystore ranger-admin-keystore.jks -alias rangeradmin -file rangeradmin.cer -storepass temp4now
- Secure copy (scp) the rangeradmin.cer file from the Db2 Big SQL master node.
- Create the truststore for Db2 Big
SQL:
keytool -import -file rangeradmin.cer -alias rangeradmin -keystore /etc/bigsql/conf/bigsql-plugin-truststore.jks -storepass temp4now
- Export the bigsqlplugin.cer
file:
keytool -export -keystore bigsql-plugin-keystore.jks -alias bigsqlplugin -file bigsqlplugin.cer -storepass temp4now
- Secure copy (scp) the bigsqlplugin.cer file to the Ranger Admin host.
- Create the truststore for Ranger
Admin:
keytool -import -file bigsqlplugin.cer -alias bigsqlplugin -keystore /etc/ranger/admin/conf/ranger-admin-truststore.jks -storepass temp4now
Step 5: Configure Ranger Admin for SSL
For instructions, see the Configuring Ranger Admin page in the security section of the HDP documentation.
Step 6: Configure Db2 Big SQL for SSL
- server-keystore.jks is /etc/ranger/admin/conf/ranger-admin-keystore.jks
- agent-keystore.jks /etc/bigsql/conf/bigsql-plugin-keystore.jks
- agent-truststore.jks is /etc/bigsql/conf/bigsql-plugin-truststore.jks