Tools Overview
Java Keytool and OpenSSL are key management tools that let you create the security
artifacts needed for TLS/SSL. See How to Convert File Encodings (DER, JKS, PEM) for
TLS/SSL Certificates and Keys
for more information beyond the two short overviews
below.
Java Keytool
Oracle Java keytool
is a utility included with the
Oracle JDK for creating and managing cryptographic keys and
certificates. During configuring the Cloudera Manager Cluster for
TLS/SSL, you create the private key pairs, keystore, certificate
signing requests, and create a truststore for specific use by the
cluster using this software tool, as detailed in the steps throughout
this guide.
Java Keytool Requirements for Cloudera Manager TLS/SSL Configuration
- Use the Oracle Java
keytool
rather than tools such as OpenJDK. - Use the JDK downloaded from Oracle or the Cloudera-provided
Oracle JDK located in this default path on a Cloudera Manager
Server host:
/usr/java/jdk1.7.0_67-cloudera/bin/jre/lib/security
- Use the same version of the Java keytool for all steps. If the
host has multiple JDKs installed, set the
PATH
variable so that the Oracle JDK is invoked first, as in this example:export JAVA_HOME=/usr/java/jdk1.7.0_67-cloudera export PATH=$JAVA_HOME/bin:$PATH
- Use the same password for the
-keypass
and-storepass
in any commands that invoke these two options. Cloudera Manager requires the same password for a key and its keystore.
OpenSSL
OpenSSL is an open source cryptography and TLS/SSL toolkit that has been widely used since its inception ~ 1999. Just as with Java Keytool, OpenSSL lets you create private keys, certificate requests, and keystores, and it provides options for verifying certificates.
Cloudera Manager Agent hosts act as clients of a Cloudera Manager Server host during RPC
client and server communications. The Agent hosts, Hue, Impala and other Python-based
services require PEM-formatted keys and certificates (PKCS #8), which is why the steps
below include converting some of the JKS artifacts using this tool. See How to Convert
File Encodings (DER, JKS, PEM) for TLS/SSL Certificates and Keys
for more
information.