I was using certified key file to enable HTTPS, if you use self-signatured key, see second part
First part:
I had got two files which one is the private key named server.key and another one is certification file named server.crt
Use the following command to create a jks keystore file
openssl pkcs12 -export -in xxx.com.crt -inkey xxx.com.key -out xxx.com.pkcs12 keytool -importkeystore -srckeystore xxx.com.pkcs12 -destkeystore xxx.com.jks -srcstoretype pkcs12
Second part:
Use self-signatured key
# Generate root key file and cert file, key file could be named key or pem, it's same. openssl genrsa -out root.key(pem) 2048 # Generate root key file openssl req -x509 -new -key root.key(pem) -out root.crt # Generate root cert file # Generate client key and cert and csr file openssl genrsa -out client.key(pem) 2048 # Generate client key file openssl req -new -key client.key(pem) -out client.csr # Generate client cert request file openssl x509 -req -in client.csr -CA root.crt -CAkey root.key(pem) -CAcreateserial -days 3650 -out client.crt # Use root cert to generate client cert file # Generate server key and cert and csr file openssl genrsa -out server.key(pem) 2048 # Generate server key file, use in Zeppelin openssl req -new -key server.key(pem) out server.csr @ Generate server cert request file openssl x509 -req -in server.csr -CA root.crt -CAkey root.key(pem) -CAcreateserial -days 3650 -out server.crt # Use root cert to generate server cert file # Generate client jks file openssl pkcs12 -export -in client.crt -inkey client.key(pem) -out client.pkcs12 # Package to pkcs12 format, must input a password, you should remember the password keytool -importkeystore -srckeystore client.pkcs12 -destkeystore client.jks -srcstoretype pkcs12 # The client password you just input at last step # Generate server jks file openssl pkcs12 -export -in server.crt -inkey server.key(pem) -out server.pkcs12 # Package to pkcs12 format, must input a password, you should remember the password keytool -importkeystore -srckeystore server.pkcs12 -destkeystore server.jks -srcstoretype pkcs12 # The server password you just input at last step
The server key, cert and jks are using to configure zeppelin, the client key, cert and jks are using to install into browser or your client access codes.
Then, make a directory to put the server things in it, such as
mkdir -p /etc/zeppelin/conf/ssl cp server.crt server.jks /etc/zeppelin/conf/ssl
And then modify zeppelin-site.xml to enable https access
<property> <name>zeppelin.server.ssl.port</name> <value>8443</value> <description>Server ssl port. (used when ssl property is set to true)</description> </property> <property> <name>zeppelin.ssl</name> <value>true</value> <description>Should SSL be used by the servers?</description> </property> <property> <name>zeppelin.ssl.client.auth</name> <value>false</value> <description>Should client authentication be used for SSL connections?</description> </property> <property> <name>zeppelin.ssl.keystore.path</name> <value>/etc/zeppelin/conf/ssl/xxx.com.jks</value> <description>Path to keystore relative to Zeppelin configuration directory</description> </property> <property> <name>zeppelin.ssl.keystore.type</name> <value>JKS</value> <description>The format of the given keystore (e.g. JKS or PKCS12)</description> </property> <property> <name>zeppelin.ssl.keystore.password</name> <value>password which you input on generating server jks step</value> <description>Keystore password. Can be obfuscated by the Jetty Password tool</description> </property>
Then, all completed, and you can redirect 443 to 8443 by using iptables or other reverse proxy tools