This post gives the details about setting up the SSL certificate for Knox, specific to
IBM BigInsights 4.1 version and above
Set the environment variables GATEWAY_HOME
set GATEWAY_HOME= /usr/iop/current/knox-server/
Knox Gateway keystore is located at $GATEWAY_HOME/data/security/keystores/
The file used by knox keystore is gateway.jks file located in the above folder
To create a selfsigned certificate use
/usr/iop/current/knox-server/bin/knoxcli.sh create-cert --hostname rvm.svl.ibm.com
This will create the gateway.jks file and store it in $GATEWAY_HOME/data/security/keystores/ folder
[knox@rvm keystores]$ ls -lrt
-rw-r--r--. 1 knox knox 1366 Dec 21 22:31 gateway.jks
If the customer has a CA generated certificate in the format of .cer, use the following steps to convert the certificate to jks format
keytool -importcert -file certificate.cer -keystore gateway.jks -alias
"gateway-identity"
The identity used is “gateway-identity”
After the certificate is created / copied to the keystore, stop and start the gateway
To stop the gateway use
[knox@rvm keystores]$
/usr/iop/current/knox-server/bin/gateway.sh stop
Stopping Gateway with PID 3852 succeeded.
To restart the gateway
[knox@rvm keystores]$
/usr/iop/current/knox-server/bin/gateway.sh start
Stopping Gateway with PID 3852 succeeded.
Now verify the contents of the gateway.jks
[knox@rvm cert]$ /usr/jdk64/java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64/jre/bin/keytool -list -keystore $GATEWAY_HOME/data/security/keystores/gateway.jks
Enter keystore password: <knox> <== DEFAULT KNOX Password in my machine
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
gateway-identity, Dec 21, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): A5:7C:A7:6F:22:71:A6:BB:6F:3E:1D:B3:B2:CC:0F:2D:AF:C6:70:0A
To verify that the same generated jks file is being used by knox, open BigInsights Landing page https://192.168.80.193:8443/gateway/default/BigInsightsWeb/index.html#/welcome.
Click on the lock icon to fetch the certificate details
IBM BigInsights 4.1 version and above
Set the environment variables GATEWAY_HOME
set GATEWAY_HOME= /usr/iop/current/knox-server/
Knox Gateway keystore is located at $GATEWAY_HOME/data/security/keystores/
The file used by knox keystore is gateway.jks file located in the above folder
To create a selfsigned certificate use
/usr/iop/current/knox-server/bin/knoxcli.sh create-cert --hostname rvm.svl.ibm.com
This will create the gateway.jks file and store it in $GATEWAY_HOME/data/security/keystores/ folder
[knox@rvm keystores]$ ls -lrt
-rw-r--r--. 1 knox knox 1366 Dec 21 22:31 gateway.jks
If the customer has a CA generated certificate in the format of .cer, use the following steps to convert the certificate to jks format
keytool -importcert -file certificate.cer -keystore gateway.jks -alias
"gateway-identity"
The identity used is “gateway-identity”
After the certificate is created / copied to the keystore, stop and start the gateway
To stop the gateway use
[knox@rvm keystores]$
/usr/iop/current/knox-server/bin/gateway.sh stop
Stopping Gateway with PID 3852 succeeded.
To restart the gateway
[knox@rvm keystores]$
/usr/iop/current/knox-server/bin/gateway.sh start
Stopping Gateway with PID 3852 succeeded.
Now verify the contents of the gateway.jks
[knox@rvm cert]$ /usr/jdk64/java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64/jre/bin/keytool -list -keystore $GATEWAY_HOME/data/security/keystores/gateway.jks
Enter keystore password: <knox> <== DEFAULT KNOX Password in my machine
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
gateway-identity, Dec 21, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): A5:7C:A7:6F:22:71:A6:BB:6F:3E:1D:B3:B2:CC:0F:2D:AF:C6:70:0A
To verify that the same generated jks file is being used by knox, open BigInsights Landing page https://192.168.80.193:8443/gateway/default/BigInsightsWeb/index.html#/welcome.
Click on the lock icon to fetch the certificate details
We can see that the certificate we are using is the same as the SHA1
fingerprint