Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Manage the Master Secret

The master secret is required to start the gateway. The secret protects artifacts used by the gateway instance, such as the keystore, trust stores and credential stores.

You configure the gateway to persist the master secret, which is saved in the $gateway /data/security/master file. Ensure that this directory has the appropriate permissions set for your environment. To set the master secret, enter:

cd $gateway bin/knoxcli.cmd create-master

A warning displays indicating that persisting the secret is less secure than providing it at startup. Knox protects the password by encrypting it with AES 128 bit encryption; where possible, the file permissions are set to be accessible only by the knox user.

[Warning]Warning

Ensure that the security directory, $gateway/data/security, and its contents are readable and writable only by the knox user. This is the most important layer of defense for master secret. Do not assume that the encryption is sufficient protection.

Changing the Master Secret

The Master Secret can be changed under dire situations where the Administrator has to redo all the configurations for every dateway instance in a deployment, and no longer knows the Master Secret. Recreating the Master Secret requires not only recreating the master, but also removing all existing keystores and reprovisioning the certificates and credentials.

  1. To change the Master Secret:

    cd $gateway bin/knoxcli.cmd create-master--force

  2. If there is an existing keystore, update the keystore.