When 'ssl.enabled' is true, the following properties need to be set in cdap-security.xml. The entire cdap-security.xml file was missing from /etc/cdap/conf.
1. security.auth.server.ssl.keystore.path
2. security.auth.server.ssl.keystore.password
3. security.auth.server.ssl.keystore.keypassword
4. router.ssl.keystore.path
5. router.ssl.keystore.password
6. router.ssl.keystore.keypassword
7. dashboard.ssl.cert
8. dashboard.ssl.key
Note: the 4th, 5th, 7th, and 8th configurations were present in the cdap-site.xml.
For more details about the cdap-security.xml file, see:
http://docs.cdap.io/cdap/current/en/admin-manual/installation/security.html
Specifically, "It should be owned and readable only by the CDAP user."
The cookbook's had cdap-security.xml support for a while.
https://github.com/caskdata/cdap_cookbook/blob/v2.16.0/recipes/config.rb#L44-L56
We need to modify the logic that creates the certificates and also populate the properties with defaults. This needs to be done for Auth Server, Router, and UI.
Workaround, but with lower security:
Duplicate properties for both cdap-site.xml and cdap-security.xml when passing to Chef. For Coopr, this would be adding duplicate entries under cdap for cdap_site and cdap_security.