This topic describes how to configure Knox in the E-MapReduce (EMR) console and how to use a Knox account to access the web UIs of open source components such as Hadoop Distributed File System (HDFS), YARN, Spark, and Ganglia over the Internet.


An EMR cluster is created. For more information, see Create a cluster.


  • Configure a security group rule
    1. Obtain the public IP address of your on-premises machine.

      For security purposes, we recommend that you allow access only from the current public IP address when you configure a security group rule. To view your current public IP address, visit

    2. Add a port.

      In this example, port 8443 is added.

      1. Go to the Basic Information page of your EMR cluster in the EMR console. In the Security section, click the link next to Cluster Security Group.
      2. On the Security Group Rules page, click Add Rule.
      3. Set the Port Range parameter to 8443/8443 and the Authorization Object parameter to the public IP address that you obtain in the previous step.
      4. Click Save in the Actions column.
    • To prevent attacks from external users, you are not allowed to set the Authorization Object parameter to
    • If no public IP address is assigned to the cluster when you create the cluster, you can add a public IP address to the cluster in the Elastic Compute Service (ECS) console.
  • Configure a Knox account

    When you access Knox, you must enter your username and password. The authentication is based on Lightweight Directory Access Protocol (LDAP). You can use the LDAP service of Apache Directory Server in the cluster or your own LDAP service.

    • Method 1 (recommended):

      On the Users page of the cluster, add a Knox account. For more information, see Manage user accounts.

    • Method 2:
      1. Log on to your cluster in SSH mode. For more information, see Log on to a cluster.
      2. Prepare your username, such as Tom.
        Run the following commands to open the users.ldif file:
        su knox
        vim /opt/apps/KNOX/knox-current/templates/users.ldif

        In the file, replace emr-guest and EMR GUEST with Tom, and set the userPassword parameter to the password of your username.

      3. Run the following commands to import user data to LDAP:
        cd /opt/apps/KNOX/knox-current/templates

Access web UIs

You can use your Knox account to access the web UIs of components, such as HDFS, YARN, Spark, and Ganglia.

  1. Log on to the Log on to the EMR console. In the left-side navigation pane, click EMR on ECS..
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Find the cluster that you want to manage and click Services in the Actions column.
  4. In the upper part of the page, click the Access Links and Ports tab.
  5. On the Public Connect Strings page, click the URL of the component that you want to access.


  • Q: Why do the components of Knox stop working and the error message Failed to start gateway: Gateway SSL Certificate is Expired appear when I start Knox? ERROR
  • A: Perform the following steps:
    1. Log on to your cluster in SSH mode. For more information, see Log on to a cluster.
    2. Run the following command to rename the SSL certificate that expires:
      sudo mv /opt/apps/KNOX/knox-current/data/security/keystores/gateway.jks /opt/apps/KNOX/knox-current/data/security/keystores/bak_gateway.jks
      Note You can also move the SSL certificate to another directory.
    3. Restart Knox.
      1. Go to the Services page of your cluster in the EMR console. In the Knox section, move the pointer over the more icon and select Start.
      2. In the dialog box that appears, enter a reason in the Execution Reason field and click OK.
      3. In the Confirm message, click OK.