Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Installing Certificates in the Hadoop SSL Keystore Factory (HDFS, MapReduce, and YARN)

HDFS, MapReduce, and YARN use the Hadoop SSL Keystore Factory to manage SSL Certificates. This factory uses a common directory for server keystore and client truststore. The Hadoop SSL Keystore Factory allows you to use CA certificates managed in their own stores.

  1. Create a directory for the server and client stores.

    mkdir -p <SERVER_KEY_LOCATION> ; mkdir -p <CLIENT_KEY_LOCATION>
  2. Import the server certificate from each node into the HTTP Factory truststore.

    cd <SERVER_KEY_LOCATION> ; keytool -import -noprompt -alias <remote-hostname> -file <remote-hostname>.jks -keystore <TRUSTSTORE_FILE> -storepass <SERVER_TRUSTSTORE_PASSWORD>
  3. Create a single truststore file containing the public key from all certificates, by importing the public key for each CA or from each self-signed certificate pair:

    keytool -import -noprompt -alias <host> -file $CERTIFICATE_NAME -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>
  4. Copy the keystore and truststores to every node in the cluster.

  5. Validate the common truststore file on all hosts.

    keytool -list -v -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>
  6. Set permissions and ownership on the keys:

    chgrp -R <YARN_USER>:hadoop <SERVER_KEY_LOCATION>
    chgrp -R <YARN_USER>:hadoop <CLIENT_KEY_LOCATION>
    chmod 755 <SERVER_KEY_LOCATION>
    chmod 755 <CLIENT_KEY_LOCATION>
    chmod 440 <KEYSTORE_FILE>
    chmod 440 <TRUSTSTORE_FILE>
    chmod 440 <CERTIFICATE_NAME>
    chmod 444 <ALL_JKS>
    [Note]Note

    The complete path of the <SERVER_KEY_LOCATION> and the <CLIENT_KEY_LOCATION> from the root directory /etc must be owned by the yarn user and the hadoop group.