Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Using a CA-Signed Certificate

To use a CA-signed certificate:

  1. Run the following command to create a self-signing rootCA and import the rootCA into the client truststore. This is a private key; it should be kept private. The following command creates a 2048-bit key:

    openssl genrsa -out <clusterCA>.key 2048
  2. Self-sign the rootCA. The following command signs for 300 days. It will start an interactive script that requests name and location information.

    openssl req -x509 -new -key <clusterCA>.key -days 300 -out <clusterCA>
  3. Import the rootCA into the client truststore:

    keytool -importcert -alias <clusterCA> -file $clusterCA -keystore <clustertruststore> -storepass <clustertruststorekey>
    [Note]Note

    Make sure that the ssl-client.xml file on every host is configured to use this $clustertrust store.

    When configuring with Hive point to this file; when configuring other services install the certificate in the Java truststore.

  4. For each host, sign the certreq file with the rootCA:

    openssl x509 -req -CA $clusterCA.pem -CAkey <clusterCA>.key -in <host>.cert -out $host.signed -days 300 -CAcreateserial
  5. On each host, import the rootCA and the signed cert back in:

    keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias <clusterCA> -import -file cluster1CA.pem
    keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias `hostname -s` -import -file <host>.signed -keypass <hostkey>