Skip to content

Enable HTTPS in Ranger#

Prerequisites#

Required Ports#

Open inbound port 6182 in the security group attached to your instance.

Port Service
6182 Apache Ranger Admin

Install or confirm installation of Java on your VM instance hosting Ranger and Dataserver Docker.

Install Java#

sudo yum install java-1.8.0 -y

Generate self-signed certificates for Ranger with Privacera#

cd ~/privacera/docker
vi .env

# Set below properties
RANGER_SSL_ENABLE=true
RANGER_URL=https://localhost:6182

If you are using Privacera self-signed certificates, you can directly navigate to Restart Ranger.

Enable HTTPS Using Certificates#

  1. Open the docker .env file for edit:

    cd ~/privacera/docker
    vi .env
    
  2. Set properties.

    RANGER_SSL_ENABLE=true RANGER_SELF_SIGNED_CERT=false RANGER_URL=https://localhost:6182 cd ~/privacera/docker mkdir ranger_certs cd ranger_certs

  3. Create jceks file for Ranger plugins. SSH to any of existing EMR Cluster and execute the following:

    hadoop credential create sslKeyStore -value ${RANGER_ADMIN_KEYSTORE_PASSWORD} -provider localjceks://file/tmp/ranger.jceks hadoop credential create sslTrustStore -value ${RANGER_ADMIN_TRUSTSTORE_PASSWORD} -provider localjceks://file/tmp/ranger.jceks

  4. Copy the ranger.jceks file to the ec2 ‘\~/privacera/docker/ranger_certs’ directory.

  5. Create a certificate keystore file and copy it to the certificate keystore file in \~/privacera/docker/ranger_certs.

    cd ~/privacera/docker/ranger_certs
    
  6. Rename Certificate Keystore File

    cp ${YOUR_CERTIFICATE_KEYSTORE} ranger-admin-keystore.jks
    cp ${YOUR_CERTIFICATE_KEYSTORE} ranger-plugin-keystore.jks
    
  7. Generate Required Truststore and Certificate files from given Keystore

    keytool -export -keystore ranger-admin-keystore.jks -alias ${RANGER_ADMIN_KEYSTORE_ALIAS} -file ranger-admin-trust.cer -storepass ${RANGER_ADMIN_KEYSTORE_PASSWORD}
    
    keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks -storepass ${RANGER_PLUGIN_TRUSTSTORE_PASSWORD} -noprompt
    
    keytool -export -keystore ranger-plugin-keystore.jks -alias ${RANGER_PLUGIN_KEYSTORE_ALIAS}  -file ranger-s3Agent-trust.cer -storepass ${RANGER_PLUGIN_KEYSTORE_PASSWORD}
    
    keytool -import -file ranger-s3Agent-trust.cer -alias trustStoreAlias -keystore ranger-admin-truststore.jks -storepass ${RANGER_ADMIN_TRUSTSTORE_PASSWORD}  -noprompt
    
  8. Copy the jks and cert files shown below to the ranger configuration directory:

    mkdir -p ~/privacera/docker/ranger/admin/conf/
    cp ~/privacera/docker/ranger_certs/ranger-admin-keystore.jks ~/privacera/docker/ranger/admin/conf/ranger-admin-keystore.jks
    cp ~/privacera/docker/ranger_certs/ranger-plugin-keystore.jks ~/privacera/docker/ranger/admin/conf/ranger-plugin-keystore.jks
    cp ~/privacera/docker/ranger_certs/ranger-admin-trust.cer ~/privacera/docker/ranger/admin/conf/ranger-admin-trust.cer
    cp ~/privacera/docker/ranger_certs/ranger-s3Agent-trust.cer ~/privacera/docker/ranger/admin/conf/ranger-s3Agent-trust.cer
    cp ~/privacera/docker/ranger_certs/ranger-admin-truststore.jks ~/privacera/docker/ranger/admin/conf/ranger-admin-truststore.jks
    cp ~/privacera/docker/ranger_certs/ranger-plugin-truststore.jks ~/privacera/docker/ranger/admin/conf/ranger-plugin-truststore.jks
    
  9. Copy the jks and cert files to the dataserver configuration directory:

    cp ~/privacera/docker/ranger_certs/ranger-plugin-keystore.jks ~/privacera/docker/dataserver/conf/ranger-plugin-keystore.jks
    cp ~/privacera/docker/ranger_certs/ranger-s3Agent-trust.cer ~/privacera/docker/dataserver/conf/ranger-s3Agent-trust.cer
    cp ~/privacera/docker/ranger_certs/ranger-plugin-truststore.jks ~/privacera/docker/dataserver/conf/ranger-plugin-truststore.jks
    cp ~/privacera/docker/ranger_certs/ranger.jceks ~/privacera/docker/dataserver/conf/ranger.jceks
    
  10. Set up Ranger configuration properties.

    cd ~/privacera/docker

  11. Create properties file in ranger/admin if it doesn't already exist, and open it for edit.

    cp ranger/admin/sample.install.properties ranger/admin/install.properties vi ranger/admin/install.properties

  12. Add/Update the properties

    javax_net_ssl_keyStore=/opt/ranger/ranger-1.2.1-SNAPSHOT-admin/overrideconf/ranger-admin-keystore.jks javax_net_ssl_keyStorePassword=${RANGER_ADMIN_KEYSTORE_PASSWORD} javax_net_ssl_trustStore=/opt/ranger/ranger-1.2.1-SNAPSHOT-admin/overrideconf/ranger-admin-truststore.jks javax_net_ssl_trustStorePassword=${RANGER_ADMIN_TRUSTSTORE_PASSWORD} policymgr_external_url=https://localhost:6182 policymgr_http_enabled=false policymgr_https_keystore_file=/opt/ranger/ranger-1.2.1-SNAPSHOT-admin/overrideconf/ranger-admin-keystore.jks policymgr_https_keystore_keyalias=${RANGER_ADMIN_KEY_ALIAS} policymgr_https_keystore_password=${RANGER_ADMIN_KEYSTORE_PASSWORD}

Restart Ranger#

   cd ~/privacera/docker
   ./privacera_services restart ranger

Restart Dataserver#

If Privacera Dataserver is installed on an EC2 instance restart it.

 cd ~/privacera/docker
 ./privacera_services restart dataserver

Configure Ranger Plugin Repositories#

  1. Open a web browser window to the Ranger UI (${RANGER_HOST}:${RANGER_PORT}). The Ranger login page displays.

  2. Click Sign In.

    The Ranger home page displays.

  3. Click a plugin repository edit icon.

    Example: privacera_s3

    The Ranger Edit Service page displays.

  4. On the Ranger Edit Service page, under Config Properties, in the Common Name for Certificate field, enter Config Properties Common Name for Certificate = ${YOUR_CN}

    ${YOUR_CN} = In case of Privacera generated self-signed certificates, enter ${YOUR_CN} = Ranger

  5. Enter the Name and Value in Add New Configurations field.

    • Name = policy.download.auth.users

    • Value = root

  6. Click Save.

    Ranger Plugin Repositories are configured and ready for use.

Enable HTTPS from the Privacera Portal#

To enable HTTPS on the Privacera portal, you need two files: keystore.jks and truststore.jks. In SSL handshake, the purpose of keyStore is to provide credentials and trustStore is required to verify the credentials.

Create Certificate Files#

Get the required certificates files yourself or create them by following steps.

To have end to end SSL enabled, SSL should be enabled at Ranger as well. For more information refer to Enable HTTPS on Privacera Ranger guide.

  1. Create directory for certificate files.​

    ssh ${EC2_INSTANCE}
    cd ~/privacera/docker
    mkdir privacera_certs
    
  2. Generate the KeyStore file using Java keytool.

    This command will give you file privacera-keystore.jks.

    sudo yum install java-1.8.0-openjdk
    keytool -genkey -alias privacera-alias -keyalg RSA -keypass changeit -storepass changeit -keystore privacera-keystore.jks
    
  3. Generate the TrustStore file (privacera-truststore.jksusing Java keytool.

    This command will give you file

    keytool -export -keystore privacera-keystore.jks -alias privacera-alias -file privacera-trust.cer -storepass changeit
    keytool -import -file privacera-trust.cer -alias privacera-alias -keystore privacera-truststore.jks -storepass changeit -noprompt
    cp privacera-truststore.jks ~/privacera/docker/privacera_certs
    

Enable HTTPS#

  1. Enable the portal SSL using the files generated in the steps above:

  2. Copy privacera-keystore.jks to the privacera configuration folder.

    ssh ${EC2_INSTANCE}
    cd ~/privacera/docker
    cp privacera-keystore.jks privacera/portal/conf/
    
  3. Copy ranger-admin-trust.cer to classpath.

    cp ~/privacera/docker/ranger/admin/conf/ranger-admin-trust.cer ~/privacera/docker/privacera/portal/conf/
    
  4. Open for edit the portal custom properties file:

    vi ~/privacera/docker/privacera/portal/conf/application-custom.properties
    
  5. Revise properties.

    To use the Cazena SSL set the properities as follows:

    #zuul.routes.ranger.url=https://ranger:6182 
    server.ssl.enabled=true 
    server.ssl.key-alias=1 
    server.ssl.key-store=/opt/privacera/portal/conf/cz_server_keystore.jks 
    server.ssl.key-store-password=xxxxxx 
    server.ssl.keyStoreType=JKS 
    #ranger.truststore.cert.path=/opt/privacera/portal/conf/ranger-admin-trust.cer
    
  6. To use standard Privacera SSL, set these properties.

    zuul.routes.ranger.url=https://ranger:6182
    server.ssl.enabled=true
    server.ssl.key-alias=privacera-alias
    server.ssl.key-store=/opt/privacera/portal/conf/privacera-keystore.jks
    server.ssl.key-store-password=changeit
    server.ssl.keyStoreType=JKS
    ranger.truststore.cert.path=/opt/privacera/portal/conf/ranger-admin-trust.cer
    ranger.truststore.cert.alias=ranger-admin
    java.cacerts.password=changeit
    
  7. Restart Privacera.

    ./privacera_services restart privacera

  8. Open Ranger Portal in the browser ({RANGER_HOST}:6868).

  9. Update EC2 Privacera Dataserver in order to access the HTTPS portal.

    1. Copy privacera-truststore.jks to the Dataserver configuration folder.

      ssh ${EC2_INSTANCE}
      cd ~/privacera/docker
      cp privacera_certs/privacera-truststore.jks dataserver/conf/
      
    2. Update properties.

      vi dataserver/conf/privacera_dataserver.properties
      dataserver.portal.baseurl=https://privacera:6868
      dataserver.ssl.key-store = /workdir/privacera-data-server/conf/privacera-truststore.jks
      dataserver.ssl.key-store-password = changeit
      
    3. Restart Privacera Dataserver.

      ./privacera_services restart dataserver
      

Last update: July 23, 2021