Install Certificates in the Hadoop SSL Keystore Factory (HDFS, MapReduce, and YARN)

HDFS, MapReduce, and YARN use the Hadoop SSL Keystore Factory to manage SSL Certificates. This factory uses a common directory for server keystore and client truststore. The Hadoop SSL Keystore Factory allows you to use CA certificates managed in their own stores.

1. Create a directory for the server and client stores.mkdir -p <SERVER_KEY_LOCATION> ; mkdir -p <CLIENT_KEY_LOCATION>.
2. Import the server certificate from each node into the HTTP Factory truststore.cd <SERVER_KEY_LOCATION> ; keytool -import -noprompt -alias <remote-hostname> -file <remote-hostname>.jks -keystore <TRUSTSTORE_FILE> -storepass <SERVER_TRUSTSTORE_PASSWORD>.
3. Create a single truststore file containing the public key from all certificates, by importing the public key for each CA or from each self-signed certificate pair: keytool -import -noprompt -alias <host> -file $CERTIFICATE_NAME -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>.
4. Copy the keystore and truststores to every node in the cluster.
5. Validate the common truststore file on all hosts. keytool -list -v -keystore <ALL_JKS> -storepass <CLIENT_TRUSTSTORE_PASSWORD>.
6. Set permissions and ownership on the keys:

   chgrp -R <YARN_USER>:hadoop <SERVER_KEY_LOCATION>
   chgrp -R <YARN_USER>:hadoop <CLIENT_KEY_LOCATION>
   chmod 755 <SERVER_KEY_LOCATION>
   chmod 755 <CLIENT_KEY_LOCATION>
   chmod 440 <KEYSTORE_FILE>
   chmod 440 <TRUSTSTORE_FILE>
   chmod 440 <CERTIFICATE_NAME>
   chmod 444 <ALL_JKS>

   	Note
   	The complete path of the <SERVER_KEY_LOCATION> and the <CLIENT_KEY_LOCATION> from the root directory /etc must be owned by the yarn user and the hadoop group.