Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Obtain a Certificate from a Trusted Third-Party Certification Authority (CA)

A third-party Certification Authority (CA) accepts certificate requests from entities, authenticates applications, issues certificates, and maintains status information about certificates. Associated cryptography guarantees that a signed certificate is computationally difficult to forge. Thus, as long as the CA is a genuine and trusted authority, clients have high assurance that they are connecting to the machines that they are attempting to connect with.

To obtain a certificate signed by a third-party CA, generate and submit a Certificate Signing Request (CSR) for each cluster node:

  1. From the service user account associated with the component (such as hive, hbase, oozie, or hdfs, shown below as <service_user>), generate the host key:

    su -l <service_user> -C "keytool -keystore <client-keystore> -genkey -alias <host>"
  2. At the prompts, enter the information required by the CSR.

    [Note]Note

    Request generation information and requirements vary depending on the certificate authority. Check with your CA for details.

    Example using default keystore keystore.jks:

    su -l hdfs -c "keytool -keystore keystore.jks -genkey -alias n3"
                                    
    Enter keystore password: ********
    What is your first and last name?
    [Unknown]:  hortonworks.com
    What is the name of your organizational unit?
    [Unknown]:  Development
    What is the name of your organization?
    [Unknown]:  Hortonworks
    What is the name of your City or Locality?
    [Unknown]:  SantaClara
    What is the name of your State or Province?
    [Unknown]:  CA
    What is the two-letter country code for this unit?
    [Unknown]:  US
    Is <CN=hortonworks.com, OU=Development, O=Hortonworks, L=SantaClara, ST=CA, 
    C=US correct?
    [no]:  yes
    
    Enter key password for <host>
    (RETURN if same as keystore password):

    By default, keystore uses JKS format for the keystore and truststore. The keystore file is created in the user's home directory. Access to the keystore requires the password and alias.

  3. Verify that the key was generated; for example:

    su -l hdfs -c "keytool -list -v -keystore keystore.jks"
  4. Create the CSR file:

    su -l hdfs -c "keytool -keystore <keystorename> -certreq -alias <host> -keyalg rsa -file <host>.csr"

    This command generates a certificate signing request that can be sent to a CA. The file <host>.csr contains the CSR.

    The CSR is created in the user's home directory.

  5. Confirm that the keystore.jks and <host>.csr files exist by running the following command and making sure that the files are listed in the output:

    su -l hdfs -c "ls ~/"
  6. Submit the CSR to your Certificate Authority.

  7. To import and install keys and certificates, follow the instructions sent to you by the CA.