Security
Also available as:
PDF

Installing Certificates in the Hadoop SSL Keystore Factory (HDFS, MapReduce, and YARN)

HDFS, MapReduce, and YARN use the Hadoop SSL Keystore Factory to manage SSL Certificates. This factory uses a common directory for server keystore and client truststore. The Hadoop SSL Keystore Factory allows you to use CA certificates managed in their own stores.

  1. Create a directory for the server and client stores.

    mkdir -p <SERVER_KEY_LOCATION> ; mkdir -p <CLIENT_KEY_LOCATION>
  2. Import the server certificate from each node into the HTTP Factory truststore.

    cd <SERVER_KEY_LOCATION> ; keytool -import -noprompt -alias <remote-hostname> -file <remote-hostname>.jks -keystore <TRUSTSTORE_FILE> -storepass <SERVER_TRUSTSTORE_PASSWORD>
  3. Create a single truststore file containing the public key from all certificates, by importing the public key for each CA or from each self-signed certificate pair:

    keytool -import -noprompt -alias <host> -file $CERTIFICATE_NAME -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>
  4. Copy the keystore and truststores to every node in the cluster.

  5. Validate the common truststore file on all hosts.

    keytool -list -v -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>
  6. Set permissions and ownership on the keys:

    chgrp -R <YARN_USER>:hadoop <SERVER_KEY_LOCATION>
    chgrp -R <YARN_USER>:hadoop <CLIENT_KEY_LOCATION>
    chmod 755 <SERVER_KEY_LOCATION>
    chmod 755 <CLIENT_KEY_LOCATION>
    chmod 440 <KEYSTORE_FILE>
    chmod 440 <TRUSTSTORE_FILE>
    chmod 440 <CERTIFICATE_NAME>
    chmod 444 <ALL_JKS>
    [Note]Note

    The complete path of the <SERVER_KEY_LOCATION> and the <CLIENT_KEY_LOCATION> from the root directory /etc must be owned by the yarn user and the hadoop group.