Setting Up SSL/TLS for cloudera Manager and the components using self signed certificate is little painful.
Since cloudera or hadoop infrastructure will have more nodes and creating self signed certificate and maintaining trust store across the nodes will be more complex.
In my experience implementing single root CA Authority for entire cluster would be good practice. So that we need not to have all the certificates in trust store other than CA certificate for TLS communication.
Here is the simple shell script to create
ROOT CA certificate
Create/issue certificate and sign PEM format certificate for nodes
Create/issue certificate and sign JKS format certificate for cloudera manger and hive
--------------------------------- Create root ca --------------------------------------
root@ubuntu:/mnt/pool/usb-disk/X509CA# cat Create_ROOTCA.sh
openssl genrsa -des3 -out MyRootCA.key 2048
openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 5000 -out MyRootCA.pem -subj "/C=US/ST=NY/L=NYC/O=Global Security/OU=IT Department/CN=Hadoop CA Authority"
--------------- Create Certificate in PEM Format --------------------------
root@ubuntu:/mnt/pool/usb-disk/X509CA# cat Createcert_pem_format.sh
echo "Enter the client comman Name : "
read cn
mkdir $cn
openssl genrsa -des3 -out $cn/$cn.key 2048
openssl req -new -key $cn/$cn.key -out $cn/$cn.csr -subj "/C=US/ST=NY/L=NYC/O=Global Security/OU=IT Department/CN=$cn"
openssl x509 -req -in $cn/$cn.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out $cn/$cn.pem -days 5000 -sha256
cp MyRootCA.pem $cn/
#openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 5000 -out MyRootCA.pem -subj "/C=US/ST=NY/L=NYC/O=Global Security/OU=IT Department/CN=Hadoop CA Authority"
Since cloudera or hadoop infrastructure will have more nodes and creating self signed certificate and maintaining trust store across the nodes will be more complex.
In my experience implementing single root CA Authority for entire cluster would be good practice. So that we need not to have all the certificates in trust store other than CA certificate for TLS communication.
Here is the simple shell script to create
ROOT CA certificate
Create/issue certificate and sign PEM format certificate for nodes
Create/issue certificate and sign JKS format certificate for cloudera manger and hive
--------------------------------- Create root ca --------------------------------------
root@ubuntu:/mnt/pool/usb-disk/X509CA# cat Create_ROOTCA.sh
openssl genrsa -des3 -out MyRootCA.key 2048
openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 5000 -out MyRootCA.pem -subj "/C=US/ST=NY/L=NYC/O=Global Security/OU=IT Department/CN=Hadoop CA Authority"
--------------- Create Certificate in PEM Format --------------------------
root@ubuntu:/mnt/pool/usb-disk/X509CA# cat Createcert_pem_format.sh
echo "Enter the client comman Name : "
read cn
mkdir $cn
openssl genrsa -des3 -out $cn/$cn.key 2048
openssl req -new -key $cn/$cn.key -out $cn/$cn.csr -subj "/C=US/ST=NY/L=NYC/O=Global Security/OU=IT Department/CN=$cn"
openssl x509 -req -in $cn/$cn.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out $cn/$cn.pem -days 5000 -sha256
cp MyRootCA.pem $cn/
#openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 5000 -out MyRootCA.pem -subj "/C=US/ST=NY/L=NYC/O=Global Security/OU=IT Department/CN=Hadoop CA Authority"
---------------- Create keystore and Truststore Certificate in JKS Format ---------------------------------------
root@ubuntu:/mnt/pool/usb-disk/X509CA# cat Createcert_jks_format.sh
export PATH=$PATH:/opt/jdk1.8.0_144/bin
echo "Enter th Comman Name :"
read cn
mkdir $cn
keytool -genkey -alias $cn -keyalg RSA -keystore $cn/$cn.jks -keysize 2048 -dname "CN=$cn,OU=IT,O=IT,L=NYC,S=NY,C=US"
keytool -certreq -alias $cn -keystore $cn/$cn.jks -file $cn/$cn.csr
openssl x509 -req -in $cn/$cn.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out $cn/$cn.pem -days 5000 -sha256
keytool -importcert -trustcacerts -keystore $cn/$cn.jks -alias MyRootCA.pem -file MyRootCA.pem
keytool -importcert -trustcacerts -keystore $cn/$cn.jks -alias $cn -file $cn/$cn.pem
keytool -importcert -keystore $cn/$cn.truststore -alias MyRootCA -file MyRootCA.pem
No comments:
Post a Comment