Currently Ambari supports 2-way SSL, however CA signed certificates don't work out of the box.
Here is what happens currently when 2-way SSL is enabled.
Certificates and keys are stored in /var/lib/ambari-server/keys and /var/lib/ambari-agent/keys.
- Ambari Server creates a self-signed certificate (ca.crt, ca.key, ca.csr)
- Further, Ambari Server using the self signed certificate creates a keystore in PKCS#12 format (keystore.p12). This PKCS#12 file is used as both keystore and truststore.
- When Ambari Agent is bootstrapped, it identifies that 2-way SSL is enabled, agent downloads the ca.crt from server, creates a private key <hostname>.key and certificate signing request <hostname>.csr.
- Ambari Agent then sends the certificate signing request (<hostname>.csr) to Ambari Server which signs the csr request with the self signed certificate and returns the signed certificate (<hostname.crt>) back to the Agent.
- During 2-way SSL communication, Ambari Agent uses the ca.crt, <hostname>.crt, <hostname>.key and Ambari Server uses the keystore.p12 for authentication.
This setup means that the certificates are auto-generated and Ambari Server acts as CA to sign the client certificate requests. Since both Agent and Server check if these certificates exist, we can work around and uploaded the CA signed certificates to appropriate places to avoid the certificates to be generated.
Further Ambari Server creates keystore in PKCS#12 format keystore.p12 which is used as both keystore and truststore. Even if we included the complete certificate chain in keystore.p12 there is no way to mark the CA certificates as "trustedCertEntry" in PKCS#12 format. This causes authentication to fail as Ambari Server cannot find a trusted certificate (ie. CA certificate).
The fix for 2.1.1 would be to make truststore file and truststore/keystore types configurable. A more involved change to make it easy to setup 2-way SSL with CA signed certificates can be made in 2.2+