Wednesday, October 18, 2017

OpenSSL CA Authority setup with SAN certificate for Cloudera

As i mentioned in my previous blog Secure hadoop/cloudera cluster using PKI implementation setting up PKI will be good practice, In that blog i didn't mentioned about SAN certificate which will be more important while setting up fronted load balancer for hive/impala services in a multi node cluster.


I have created simple shell script with input file, this will create Single ROOT CA keystore and certificate and it will create jks/pem formate keystore and truststore for hive/impala/cm/hue


Certificate input file

#LBNAME:NODES:FORMAT(PEM|JKS)
hive.tanu.com:nm1.tanu.com,node1.tanu.com,node2.tanu.com,hive.tanu.com:jks
hue.tanu.com:nm1.tanu.com,node1.tanu.com,node2.tanu.com,hue.tanu.com:pem
impala.tanu.com:nm1.tanu.com,node1.tanu.com,node2.tanu.com,impala.tanu.com:jks
cm.tanu.com:nm1.tanu.com,node1.tanu.com,node2.tanu.com,cm.tanu.com:jks



ROOT CA creation script:

root@ubuntu:/mnt/pool/usb-disk/X509CA/Project-cloudera1# cat Create_ROOTCA.sh
openssl genrsa -des3 -out MyRootCA.key 2048
openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 5000 -out MyRootCA.pem -subj "/C=US/ST=NY/L=NYC/O=Global Security/OU=IT Department/CN=Hadoop CA Authority"


SAN Certificate Creating script JKS FORMAT

nodes=`cat certificates.txt|grep -i ":jks" |grep -v "^#" |cut -d":" -f2`
#array=( $san )
#echo "Number of elements: ${#array[@]}"
#count=1
export PATH=$PATH:/opt/jdk1.8.0_144/bin
for cnname in `cat certificates.txt|grep -i ":jks"|grep -v "^#"`
        do
                unset san
                cn=$(echo $cnname|cut -d":" -f1)
                count=1
                echo "[ req ]">openssl-ext.cnf
                echo "req_extensions   = v3_req" >>openssl-ext.cnf
                echo "[ v3_req ]" >>openssl-ext.cnf
                echo "subjectAltName = @alt_names" >>openssl-ext.cnf
                echo "[alt_names]" >>openssl-ext.cnf
                for x in $(echo $cnname|cut -d":" -f2|tr "," "\n")
                        do
                        san+="dns:$x,"
                        echo "DNS.$count = $x">>openssl-ext.cnf
                        count=$((count + 1 ))
                done
                echo $san
                mkdir $cn
                keytool -genkey -alias $cn -keyalg RSA -keystore $cn/$cn.jks -keysize 2048 -dname "CN=$cn,OU=IT,O=IT,L=NYC,S=NY,C=US" -storepass cloud123 -keypass cloud123
                keytool -certreq -alias $cn -keystore $cn/$cn.jks -file $cn/$cn.csr -ext SAN="$san" -storepass cloud123 -keypass cloud123
                openssl x509 -req -in $cn/$cn.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out $cn/$cn.pem -days 5000  -sha256 -extfile openssl-ext.cnf -extensions v3_req -passin pass:sathish123
                echo "Importing CA Cetificate into clinet key"
                keytool -importcert -trustcacerts -keystore $cn/$cn.jks -alias MyRootCA.pem -file MyRootCA.pem -storepass cloud123 -keypass cloud123 -noprompt
                echo "Importing Certiicate into client keystore"
                keytool -importcert -trustcacerts -keystore $cn/$cn.jks -alias $cn -file $cn/$cn.pem -storepass cloud123 -keypass cloud123 -noprompt
                echo "Creating Truststore and import CA ceertificate"
                keytool -importcert -keystore $cn/$cn.truststore -alias MyRootCA -file MyRootCA.pem -storepass cloud123 -keypass cloud123 -noprompt



        done

SAN Certificate Creating script PEM FORMAT

root@ubuntu:/mnt/pool/usb-disk/X509CA/Project-cloudera1# cat pem__cert_create.sh
export PATH=$PATH:/opt/jdk1.8.0_144/bin
for cnname in `cat certificates.txt|grep -v "^#"`
        do
                unset san
                cn=$(echo $cnname|cut -d":" -f1)
                count=1
                echo "[ req ]" >openssl-ext.cnf
                echo "distinguished_name = req_distinguished_name" >>openssl-ext.cnf
                echo "req_extensions   = v3_req" >>openssl-ext.cnf
                echo "prompt = no" >>openssl-ext.cnf
                echo "[req_distinguished_name]" >>openssl-ext.cnf
                echo "C = US" >>openssl-ext.cnf
                echo "ST = NY" >>openssl-ext.cnf
                echo "L = NYC" >>openssl-ext.cnf
                echo "O = Global Security" >>openssl-ext.cnf
                echo "OU = IT Department" >>openssl-ext.cnf
                echo "CN = $cn" >>openssl-ext.cnf
                echo "[ v3_req ]" >>openssl-ext.cnf
                echo "subjectAltName = @alt_names" >>openssl-ext.cnf
                echo "[alt_names]" >>openssl-ext.cnf
                for x in $(echo $cnname|cut -d":" -f2|tr "," "\n")
                        do
                        san+="dns:$x,"
                        echo "DNS.$count = $x">>openssl-ext.cnf
                        count=$((count + 1 ))
                        done

                echo $san
                mkdir $cn
                openssl genrsa -des3 -out $cn/$cn.key -passout pass:cloud123 2048
                openssl req -new -out $cn/$cn.csr -key  $cn/$cn.key  -passin pass:cloud123 -config openssl-ext.cnf
                openssl x509 -req -in $cn/$cn.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out $cn/$cn.pem -days 5000  -sha256 -extfile openssl-ext.cnf -extensions v3_req -passin pass:sathish123

        done
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)