The MapReduce, YARN, and HDFS use the Hadoop SSL Keystore Factory to manage SSL Certificates. This factory uses a common directory for server keystore and client truststore. The Hadoop SSL Keystore Factory allows you to use CA certificates or self-signed certificates managed in their own stores.
Create a directory for the server and client stores.
mkdir -p $SERVER_KEY_LOCATION ; mkdir -p $CLIENT_KEY_LOCATION
Import the server certicate from each node into the HTTP Factory truststore.
cd $SERVER_KEY_LOCATION ; keytool -import -noprompt -alias $remote-hostname -file $remote-hostname.jks -keystore $TRUSTSTORE_FILE -storepass $SERVER_TRUSTSTORE_PASSWORD
Create a single truststore file containing the public key from all certificates, by importing the public key for each CA or from each self-signed certificate pair:
keytool -import -noprompt -alias $host -file $CERTIFICATE_NAME -keystore $ALL_JKS -storepass $CLIENT_TRUSTSTORE_PASSWORD
Copy the keystore and truststores to every node in the cluster.
Validate the common truststore file on all hosts.
keytool -list -v -keystore $ALL_JKS -storepass $CLIENT_TRUSTSTORE_PASSWORD
Set permissions and ownership on the keys:
chgrp -R $YARN_USER:hadoop $SERVER_KEY_LOCATION chgrp -R $YARN_USER:hadoop $CLIENT_KEY_LOCATION chmod 755 $SERVER_KEY_LOCATION chmod 755 $CLIENT_KEY_LOCATION chmod 440 $KEYSTORE_FILE chmod 440 $TRUSTSTORE_FILE chmod 440 $CERTIFICATE_NAME chmod 444 $ALL_JKS
Note The complete path of the
$SEVER_KEY_LOCATION
and theCLIENT_KEY_LOCATION
from the root directory /etc must be owned by the $YARN_USER user and the hadoop group.