Certificate auto-enrollment for Hadoop clients

  • 145 Views
  • Last Post 25 January 2017
Ravi.Sabharanjak posted this 09 January 2017

Apparently the latest versions of Hadoop need a valid certificate to even get started, so I am trying to see how we can automate the enrollment.
I was looking at Certificate Services Web Services (https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx ).
- Any comments / experience on the feasibility of using this? We would of course need to write the client side logic for enrollment etc which our Hadoop folks are open to doing..- Someone mentioned using SCEP / NDES instead. What are the pros / cons?
thanks,-Ravi

Order By: Standard | Newest | Votes
dddugan posted this 09 January 2017

Interested in this as well. Our case is around OpenShift projects. Currently thinking toward SCEP/NDES, but unproven. Have to fix the PKI environment in my test forest first….

 

Cheers.

 

show

a-ko posted this 09 January 2017

You’re sooner likely to find documentation on using SCEP/NDES for these types of requests, and I would probably say go that route.

 

Web Enrollment Services serves a different purpose in Windows.

 

show

a-ko posted this 09 January 2017

I’m not really sure how Hadoop does things, but you could also just use a simple certreq -enroll script as well if you’re on the Windows platform.

 





  1. Create a template in your CA that lets these systems “enroll”.


  2. Use a script that will request a certificate (certreq) using that specific template, then use “certutil” to export the PFX (which will export the private key + certificate chain)


  3. Import PFX into Hadoop


 

If you need further modifications to the format (if Hadoop won’t take a PKCS12 file), you’ll likely need to transform the file with OpenSSL to convert/rip apart

the files into PEM format, etc.

 

-Mike Cramer

 

show

Ravi.Sabharanjak posted this 09 January 2017

it's on Linux, so any of the DCOM based methods are out unfortunately. Hence the thought was to look at the Cert web services to bridge the gap..
-Ravi


show

a-ko posted this 09 January 2017

NDES/SCEP would be the way to go.

 

show

Anthony.Vandenbossche posted this 09 January 2017

ADCS Web Services does not use DCOM, if I’m not mistaken. You could create a Web Enrollment Service that uses Username/Password authentication, resulting in NTLM if you do not

support Kerberos, otherwise use the default Kerberos configuration. I configured this a few times and it is pretty straightforward.



 




ANTHONY VAN DEN BOSSCHE


Techical Consultant


Hybrid Cloud



You can mail me

anthony.vandenbossche@xxxxxxxxxxxxxxxx


Call me at my UC number +32 2 801 54 59



RD Portal



www.realdolmen.com



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected

by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have

received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility

to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.



Think green, keep it on your screen



 

show

dddugan posted this 09 January 2017

Just for the record, it’s easy to confuse web enrollment and enrollment web service, but they’re completely different. I have a case open on the enrollment web service right

now and even the engineers are having a tough time keeping it straight.

 

AD CS Enrollment Web Service

AD CS Web Enrollment

 

show

Anthony.Vandenbossche posted this 09 January 2017

I mix them up constantly, but indeed I meant the AD CS Enrollment Web Service. What are the problems you are experiencing?

 




ANTHONY VAN DEN BOSSCHE


Techical Consultant


Hybrid Cloud



You can mail me

anthony.vandenbossche@xxxxxxxxxxxxxxxx


Call me at my UC number +32 2 801 54 59



RD Portal



www.realdolmen.com



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected

by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have

received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility

to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.



Think green, keep it on your screen



 

show

dddugan posted this 10 January 2017

Delegated install of AD CS Enrollment Web Service fails. Trying to install/run the whole PKI environment without using Enterprise Admin credentials. Delegated CA installation

works fine, but no joy for enrollment web service (or enrollment policy web service). Working through the DCR process now…so far it’s looking like vNext.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/4263dc6e-9758-4cfe-afcf-705064e3c8cd/ad-certificate-services-delegated-install-of-enrollment-web-service?forum=winserverDS

 

 

show

Anthony.Vandenbossche posted this 10 January 2017

I relayed this question to a colleague of mine, since this type of installation of the Web Service is new to me. If anything comes up I’ll reply with feedback. Best of luck.

 




ANTHONY VAN DEN BOSSCHE


Techical Consultant


Hybrid Cloud



You can mail me

anthony.vandenbossche@xxxxxxxxxxxxxxxx


Call me at my UC number +32 2 801 54 59



RD Portal



www.realdolmen.com



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected

by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have

received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility

to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.



Think green, keep it on your screen



 

show

febrero posted this 11 January 2017

Web/Policy services is intended for Windows Vista or greater clients that are nor domain joined or don't have full RPC connectivity to the Issuing CA. ( It's a https proxy to RPC ).




SCEP/NDES will be the way to go, not sure about the automation since most of the time it's an MDM the one that manages devices request, but if you have a SCEP client on Linux it should work.









show

Ravi.Sabharanjak posted this 25 January 2017

We ran this by a Microsoft PKI engineer who advised that the ADCs web services was the way to go over other options such as SCEP etc.
We'll be doing a small POC with the devs evaluating it to write the client side code.
-Ravi
On Jan 9, 2017 11:43 AM, "Ravi Sabharanjak" <ravi.sabharanjak@xxxxxxxxxxxxxxxx> wrote:
Apparently the latest versions of Hadoop need a valid certificate to even get started, so I am trying to see how we can automate the enrollment.
I was looking at Certificate Services Web Services (https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx ).
- Any comments / experience on the feasibility of using this? We would of course need to write the client side logic for enrollment etc which our Hadoop folks are open to doing..- Someone mentioned using SCEP / NDES instead. What are the pros / cons?
thanks,-Ravi

Close