Access Ozone S3 Gateway using the S3A filesystem
If you want to run Ozone S3 Gateway from the S3A filesystem, you must import the required CA certificate into the default Java truststore location on all the client nodes for running shell commands or jobs. This is a prerequisite when the S3 Gateway is configured with TLS.
hadoop-awsconnector, which uses the built-in Java truststore (
$JAVA_HOME/jre/lib/security/cacerts). To override this truststore, you must create another truststore named
jssecacertsin the same folder as
cacertson all the cluster nodes. When using Ozone S3 Gateway, you can import the CA certificate used to set up TLS into
jssecacertson all the client nodes for running shell commands or jobs. Importing the certificate is important because the CA certificate used to set up TLS is not available in the default Java truststore, while the
hadoop-awsconnector library trusts only those certificates that are present in the built-in Java truststore.
$JAVA_HOME/jre/lib/security/on all the cluster nodes configured for S3 Gateway, as specified.
keytoolto view the associated CA certificate and determine the
srcaliasfrom the output of the command.
/usr/java/default/bin/keytool -list -v -keystore <ssl.client.truststore.location>
Import the CA certificate to all the hosts configured for S3
/usr/java/default/bin/keytool -importkeystore -destkeystore $JAVA_HOME/jre/lib/security/jssecacerts -srckeystore <ssl.client.truststore.location> -srcalias <alias>