Tuesday, December 22, 2015

Working with Knox Certificates

This post gives the details about setting up the SSL certificate for Knox, specific to
 IBM BigInsights 4.1 version and above

Set the environment variables GATEWAY_HOME
set GATEWAY_HOME= /usr/iop/current/knox-server/

Knox Gateway keystore is located at $GATEWAY_HOME/data/security/keystores/

The file used by knox keystore is gateway.jks file located in the above folder

To create a selfsigned certificate use
    /usr/iop/current/knox-server/bin/knoxcli.sh create-cert --hostname rvm.svl.ibm.com

This will create the gateway.jks file and store it in $GATEWAY_HOME/data/security/keystores/ folder

[knox@rvm keystores]$ ls -lrt
    -rw-r--r--. 1 knox knox 1366 Dec 21 22:31 gateway.jks

If the customer has a CA generated certificate in the format of .cer, use the following steps to convert the certificate to jks format

keytool -importcert -file certificate.cer -keystore gateway.jks -alias

  "gateway-identity"

  The identity used is “gateway-identity”

After the certificate is created / copied to the keystore, stop and start the gateway

To stop the gateway use

 [knox@rvm keystores]$
/usr/iop/current/knox-server/bin/gateway.sh stop
  Stopping Gateway with PID 3852  succeeded.

To restart the gateway

 [knox@rvm keystores]$
    /usr/iop/current/knox-server/bin/gateway.sh start
   Stopping Gateway with PID 3852 succeeded.

Now verify the contents of the gateway.jks

[knox@rvm cert]$ /usr/jdk64/java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64/jre/bin/keytool -list -keystore $GATEWAY_HOME/data/security/keystores/gateway.jks

Enter keystore password: <knox> <== DEFAULT KNOX Password in my machine
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry

gateway-identity, Dec 21, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): A5:7C:A7:6F:22:71:A6:BB:6F:3E:1D:B3:B2:CC:0F:2D:AF:C6:70:0A


To verify that the same generated jks file is being used by knox, open BigInsights Landing page https://192.168.80.193:8443/gateway/default/BigInsightsWeb/index.html#/welcome.

Click on the lock icon to fetch the certificate details


We can see that the certificate we are using is the same as the SHA1 fingerprint