步骤:
在CA服务器上创建证书
在CA客户端导入证书
修改hdfs的hdfs-site.xml
配置hdfs的ssl配置文件
在CA服务器上
在部署成功了才发现CA服务器上并不是要运行什么服务。随便选一台就行。
openssl req -new -x509 -keyout /var/opt/ssl/CA/private/test_ca_key -out /var/opt/ssl/CA/private/test_ca_cert -days 9999 -subj '/C=CN/ST=zhejiang/L=hangzhou/O=dtdream/OU=security/CN=zelda.com'
Generating a 2048 bit RSA private key
.....................................................+++
...................................................................................................+++
writing new private key to '/etc/pki/CA/private/test_ca_key'
#1234
Enter PEM pass phrase:
#1234
Verifying - Enter PEM pass phrase:
-----
查看效果
[root@v-app2-cloud kduser]# ll /etc/pki/CA/private/
total 8
-rw-r--r-- 1 root root 1383 Mar 12 16:37 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 12 16:37 test_ca_key
[root@v-app2-cloud kduser]#
分布创建的证书到各个客户单
[hadoop@vm10-247-24-53 hadoop]$ ansible hadoop --become -m copy -a "src=/var/opt/ssl dest=/var/opt/"
10.247.24.54 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.28 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.49 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.63 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.53 | SUCCESS => {
"changed": false,
<