https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117384#M55107 <P><A rel="user" href="https://community.cloudera.com/users/15105/rahgulati.html" nodeid="15105">@rahul gulati</A> </P><P>I thought I have covered all the steps in the article. The only different for self signed and CA signed is STEP1 - so both mentioned there. for CA signed cert CA signing would provide you their root CA so that it can trust all their certs</P> Mon, 27 Feb 2017 02:17:58 GMT apappu 2017-02-27T02:17:58Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117377#M55100 <P>I am trying to setup SSL for HDFS on 4 Node cluster(Edge Node, Master Node and 2 Slave Nodes). I am trying to follow the link mentioned below to setup SSL between different hadoop services. </P><P><A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Security_Guide/content/create-internal-ca.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Security_Guide/content/create-internal-ca.html</A></P><P>i want to use the option of Creating and Setting internal CA repository(openssl). I have created the key and certificate for each node in cluster(including edge node).I am finding to hard to understand that where should i be keeping the truststore and keystore across different machines of the cluster? Shall i put it only on Namenode only or all node? Will Edge Node be part of setting up this SSL?</P><P>Please suggest the way to setup SSL in case of MultiNode Cluster?</P> Tue, 21 Feb 2017 22:44:17 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117377#M55100 munnyrahul 2017-02-21T22:44:17Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117378#M55101 <P><A rel="user" href="https://community.cloudera.com/users/3418/jsensharma.html" nodeid="3418">@Jay SenSharma</A> </P><P>Thoughts?</P> Tue, 21 Feb 2017 22:44:54 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117378#M55101 munnyrahul 2017-02-21T22:44:54Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117379#M55102 <P>Hello <A href="https://community.hortonworks.com/questions/84717/setting-up-ssl-between-different-hdp-components.html#">@rahul gulati</A>,</P><P>Here's what you need to do:</P><P>1. Set up your own CA using openssl</P><P>2. On each Hadoop service node (NN, DN, YARN RM, NM etc.) :</P><P style="margin-left: 20px;">a. generate a key pair into 'server-keystore.jks' and export public cert into file</P><P style="margin-left: 20px;">b. Get this public cert signed by CA keys</P><P style="margin-left: 20px;">c. Import the signed-cert back into 'server-keystore.jks'</P><P style="margin-left: 20px;">d. Import CA's public cert into a new 'server-truststore.jks'</P><P>3. On each edge node (where only Hadoop clients are supposed to run):</P><P style="margin-left: 20px;">a. Import CA's public cert into a new 'client-truststore.jks'</P><P>Above should give you a fair idea of what should go where. Mind you, this only covers SSL infrastructure. This is assuming that you will do the rest of the Hadoop SSL configuration along with these.</P><P>Hope this helps!</P> Sat, 25 Feb 2017 10:08:52 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117379#M55102 VR46 2017-02-25T10:08:52Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117380#M55103 <P><A rel="user" href="https://community.cloudera.com/users/15105/rahgulati.html" nodeid="15105">@rahul gulati</A></P><P>You can follow the article that I have published few days ago. <A href="https://community.hortonworks.com/articles/52875/enable-https-for-hdfs.html" target="_blank">https://community.hortonworks.com/articles/52875/enable-https-for-hdfs.html</A></P><P>Please let me know if you have any questions.</P> Sat, 25 Feb 2017 12:50:12 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117380#M55103 apappu 2017-02-25T12:50:12Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117381#M55104 <P><A rel="user" href="https://community.cloudera.com/users/11311/apappu.html" nodeid="11311">@apappu</A> </P><P>I followed the same link. I want to get my cert signed by own CA. so i was trying to follow the step 1. but i was not getting sure where should i run each each step(1-7) in case of 4 node cluster.(Edge, Namenode and 2 slave nodes)?</P> Sat, 25 Feb 2017 23:51:31 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117381#M55104 munnyrahul 2017-02-25T23:51:31Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117382#M55105 <P><A rel="user" href="https://community.cloudera.com/users/15105/rahgulati.html" nodeid="15105">@rahul gulati</A> </P><P>For self signed cert - in step1 I have mentioned a block "If it is self signed cert" to create the cert. you need to create 2 different certs/keystore files for each Namenode. remaining steps you will be configuring at the service level - so number of nodes does not matter.</P><P>For example:</P><P>In NN1 host: </P><OL> <LI>keytool -genkey -keyalg RSA -alias NNHOST1 -keystore /tmp/keystore.jks -storepass bigdata -validity 360-keysize 2048</LI></OL><P>In NN2 host:</P><OL> <LI>keytool -genkey -keyalg RSA -alias NNHOST2 -keystore /tmp/keystore.jks -storepass bigdata -validity 360-keysize 2048</LI></OL><P>Create common trustore.</P><P>Run</P><P>In NN1 HOST:</P><P>keytool -v -importkeystore -srckeystore /tmp/keystore.jks -srcalias NNHOST1 -destkeystore truststore.jks</P><P>Now copy above create Truststore to NN2 HOST</P><P>keytool -v -importkeystore -srckeystore /tmp/keystore.jks -srcalias NNHOST2 -destkeystore truststore.jks</P><P>Now truststore has both certs - so copy this truststore to all the nodes (including NN1 host as well). configure the truststore path as mentioned int he article.</P> Mon, 27 Feb 2017 01:54:46 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117382#M55105 apappu 2017-02-27T01:54:46Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117383#M55106 <A rel="user" href="https://community.cloudera.com/users/11311/apappu.html" nodeid="11311">@apappu</A><P>Thanks for the reply. If it is to be signed by self created CA or external CA then could you help in listing the steps for the same?</P><P>Thanks</P> Mon, 27 Feb 2017 02:00:40 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117383#M55106 munnyrahul 2017-02-27T02:00:40Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117384#M55107 <P><A rel="user" href="https://community.cloudera.com/users/15105/rahgulati.html" nodeid="15105">@rahul gulati</A> </P><P>I thought I have covered all the steps in the article. The only different for self signed and CA signed is STEP1 - so both mentioned there. for CA signed cert CA signing would provide you their root CA so that it can trust all their certs</P> Mon, 27 Feb 2017 02:17:58 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-SSL-between-different-HDP-components/m-p/117384#M55107 apappu 2017-02-27T02:17:58Z