Skip to content

Configure CA-Signed Certificate for Privacera Plugin#

This topic provides instructions to use a Certificate Authority (CA) Signed Certificate instead of a Self-Signed Certificate for communicating with Ranger.

Configuration

  1. SSH to the instance as ${USER}.

  2. Remove ranger-plugin-keystore.p12 or ranger-plugin-keystore.jks file from config/ssl folder, if it exists.

  3. Copy the following keys to the location ~/privacera/privacera-manager/config/ssl:

    • Signed PEM Full Chain
    • Signed PEM Private Key
  4. Open the vars.ssl.yml file.

    cd ~/privacera/privacera-manager
    vi config/custom-vars/vars.ssl.yml
    
  5. Add the following properties:

    RANGER_PLUGIN_SSL_SELF_SIGNED: "false"
    RANGER_PLUGIN_SSL_SIGNED_PEM_FULL_CHAIN: "<PLEASE_CHANGE>"
    RANGER_PLUGIN_SSL_SIGNED_PEM_PRIVATE_KEY: "<PLEASE_CHANGE>"
    RANGER_PLUGIN_SSL_SIGNED_CERT_FORMAT: "pem"
    
  6. Save and Exit.

  7. Run the following command:

    mkdir -p ~/privacera/backup
    cd ~/privacera/privacera-manager
    mv config/ssl/ranger-plugin-keystore.* ~/privacera/backup/
    
  8. Run the following command:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Note

The Common Name for a certificate should be the same as the CN name of the CA-signed certificate, which requires manual changes to all service definitions.