Installing Certificates in the Hadoop SSL Keystore Factory (HDFS, MapReduce, and YARN)
HDFS, MapReduce, and YARN use the Hadoop SSL Keystore Factory to manage SSL Certificates. This factory uses a common directory for server keystore and client truststore. The Hadoop SSL Keystore Factory allows you to use CA certificates managed in their own stores.
Create a directory for the server and client stores.
mkdir -p <SERVER_KEY_LOCATION> ; mkdir -p <CLIENT_KEY_LOCATION>
Import the server certificate from each node into the HTTP Factory truststore.
cd <SERVER_KEY_LOCATION> ; keytool -import -noprompt -alias <remote-hostname> -file <remote-hostname>.jks -keystore <TRUSTSTORE_FILE> -storepass <SERVER_TRUSTSTORE_PASSWORD>
Create a single truststore file containing the public key from all certificates, by importing the public key for each CA or from each self-signed certificate pair:
keytool -import -noprompt -alias <host> -file $CERTIFICATE_NAME -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>
Copy the keystore and truststores to every node in the cluster.
Validate the common truststore file on all hosts.
keytool -list -v -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>
Set permissions and ownership on the keys:
chgrp -R <YARN_USER>:hadoop <SERVER_KEY_LOCATION> chgrp -R <YARN_USER>:hadoop <CLIENT_KEY_LOCATION> chmod 755 <SERVER_KEY_LOCATION> chmod 755 <CLIENT_KEY_LOCATION> chmod 440 <KEYSTORE_FILE> chmod 440 <TRUSTSTORE_FILE> chmod 440 <CERTIFICATE_NAME> chmod 444 <ALL_JKS>
Note The complete path of the <SERVER_KEY_LOCATION> and the <
CLIENT_KEY_LOCATION
> from the root directory/etc
must be owned by theyarn
user and thehadoop
group.