Skip to main content

Home

Using a private certificate authority with Unravel

A private certificate authority (CA) is often used for signing certificates of non-public machines. Unravel server contains a bundled JRE that has well-known, public CAs. In order for Unravel to make REST requests to collect cluster metadata from HTTPS endpoints, it needs to know about your private CA. Use one of the techniques below and restart all Unravel daemons with sudo /etc/init.d/unravel_all.sh restart after making the change.

/path/to/jks_keystore is the path for your local settings.

Externally managed JKS keystore

The bundled JRE will use an external keystore (jssecacerts) in preference over the built-in one (cacerts). Simply create a symlink as shown to your JKS keystore:

# chmod 444 /path/to/jks_keystore
# ln -s {/path/to/jks_keystore} /usr/local/unravel/jre/lib/security/jssecacerts

Note:

Substitute /path/to/jks_keystore and ensure that the target file is updated whenever your CA certificates are updated.

Externally managed JRE or JDK with curated cacerts

An external JRE or JDK is often maintained for local use so that the cacerts or file it contains is up-to-date. If this is convenient, you can edit /usr/local/unravel/etc/unravel.ext.sh and change the line for JAVA_HOME. Java 1.8 is required. The environment variable should point to the directory that contains bin/java. If you are using unlimited encryption strength for your Hadoop services, be sure that the JRE/JDK you specify also has unlimited encryption strength. Substitute your local settings /usr/java/jdkl1.8.

For example:

export JAVA_HOME /usr/java/jdk1.8
Adding a CA certificate to bundled JRE

You can add a CA certificate to the JRE that is bundled with Unravel server.

First, copy cacerts to jssecacerts so that an upgrade of Unravel will preserve your change:

# cd /usr/local/unravel/jre/lib/security
# sudo cp -p cacerts jssecacerts

List contents of the jssecacerts keystore:

# sudo /usr/local/unravel/jre/bin/keytool -list -keystore jssecacerts

Import/insert a new certificate:

Note

Substitute your local values for mycompanyca and something.cer when you execute this command. Afterwards, repeat the listing step to see the effect of the insert.

# sudo /usr/local/unravel/jre/bin/keytool -keystore jssecacerts -importcert -alias mycompanyca -file something.cer
# sudo /usr/local/unravel/jre/bin/keytool -list -keystore jssecacerts