If you want to limit access to the Ambari Web GUI to HTTPS connections, you need to provide a certificate. While it is possible to use a self-signed certificate for initial trials, they are not suitable for production environments. Once your certificate is in place, you must run a special setup command.
![[Important]](../common/images/admon/important.png) |
Important |
|---|---|
Ambari Server should not be running when you do this. Either make these changes before you start Ambari the first time, or bring the server down before running the setup command. |
Log into the Ambari Server host.
Locate your certificate. If you want to create a temporary self-signed certificate, use this as an example:
openssl genrsa -out $wserver.key 2048 openssl req -new -key $wserver.key -out $wserver.csr openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out $wserver.crt
Where
$wserveris the Ambari Server hostname.
Important The certificate you use must be PEM-encoded, not DER-encoded. If you attempt to use a DER-encoded certificate, you see this error:
unable to load certificate 140109766494024:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c :698:Expecting: TRUSTED CERTIFICATE
You can convert a DER-encoded certificate to a a PEM-encoded certificate using the following command:
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
where
cert.crtis the DER-encoded certificate andcert.pemis the resulting PEM-encoded certificate.Run the special setup command and answer the prompts
ambari-server setup-https
Respond y to Do you want to configure HTTPS?
Select the port you want to use for SSL. Default is 8443.
Provide the path to your certificate and your private key.
Provide the password for the private key.
HTTPS setup for Ambari Web is complete.
