1 .下文为开启Ambari HTTPS相应步骤。
-
在集群内每个节点,创建hadoop https目录,执行:
mkdir -p /etc/security/hadoopStore;
chmod 755 /etc/security/hadoopStore; -
在Ambari Server节点,生成CA根证书,执行:
openssl req -new -x509 -nodes -keyout /etc/security/hadoopStore/clusterCA.key -out /etc/security/hadoopStore/clusterCA.pem -subj “/C=CH/ST=JS/L=SZ/O=CMCC/OU=CMSS/CN=$(hostname)”
然后生成trust-store文件:
/usr/jdk64/jdk1.8.0_77/bin/keytool -importcert -alias clusterCA -file /etc/security/hadoopStore/clusterCA.pem -keystore /etc/security/hadoopStore/clustertruststore.jks -storepass dXp8Ma_g7;
3.执行ambari-server setup-security
- 选择1 开启https
- 选择y
- 配置端口,默认8443
- 提供证书路径:/etc/security/hadoopStore/clusterCA.pem
- 提供keystore路径:/etc/security/hadoopStore/clusterCA.key
- 输入密码:dXp8Ma_g7
4.为Ambari设置trust-store
执行 ambari-server setup-security
Using python /usr/bin/python2.6
Security setup options…
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)? y
TrustStore type [jks/jceks/pkcs12] (jks): jks
Path to TrustStore file :/etc/security/hadoopStore/clustertruststore.jks
Password for TrustStore:dXp8Ma_g7
Re-enter password:
Ambari Server ‘setup-security’ completed successfully.
5.执行ambari-server restart以及ambari-agent restart即可。
2.下文为开启Hadoop组件相应的HTTPS证书生成步骤。
-
拷贝HC证书
Ambari Server节点/etc/security/hadoopStore/目录(包括clusterCA.key、clusterCA.pem和clustertruststore.jks三个文件)到所有节点 -
在每个节点,创建server keystore,执行:
/usr/jdk64/jdk1.8.0_77/bin/keytool -genkeypair -alias hccluster -keyalg RSA -keysize 1024 -dname “CN=$(hostname),OU=cmss,O=cmss,L=sz,ST=js,C=cn” -keypass dXp8Ma_g7 -keystore /etc/security/hadoopStore/keystore.jks -storepass dXp8Ma_g7 -validity 360 -
在每个节点,生成证书签名请求文件,执行:
/usr/jdk64/jdk1.8.0_77/bin/keytool -keystore /etc/security/hadoopStore/keystore.jks -alias hccluster -certreq -file /etc/security/hadoopStore/host.cert -storepass dXp8Ma_g7 -keypass bigdata -
在每个节点,利用根证书对cert文件进行签名,执行:
openssl x509 -req -CA /etc/security/hadoopStore/clusterCA.pem -CAkey /etc/security/hadoopStore/clusterCA.key -in /etc/security/hadoopStore/host.cert -out /etc/security/hadoopStore/host.signed -days 360 -CAcreateserial -
在每个节点,将CA根证书和签名证书导入keystore文件,执行:
/usr/jdk64/jdk1.8.0_77/bin/keytool -keystore /etc/security/hadoopStore/keystore.jks -storepass dXp8Ma_g7 -alias clusterCA -import -file /etc/security/hadoopStore/clusterCA.pem;
/usr/jdk64/jdk1.8.0_77/bin/keytool -keystore /etc/security/hadoopStore/keystore.jks -storepass dXp8Ma_g7 -alias hccluster -import -file /etc/security/hadoopStore/host.signed -keypass dXp8Ma_g7;
注:导入相应证书之后,必须对相应的证书赋予权限,在每个节点上都执行chmod 755 /etc/security/hadoopStore/*
3.Hadoop证书制作过程始末
3.1 初始密钥库
3.2 初始密钥库导出的公钥证书
3.3 证书签名请求文件
3.4 签名后证书
3.5 导入CA后的KeyStore
3.6 导入签名证书后的keystore
3.7 最终导出的证书(验证)-与签名证书一致