- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Setting up SSL between different HDP components
- Labels:
-
Apache Ambari
Created ‎02-21-2017 02:44 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to setup SSL for HDFS on 4 Node cluster(Edge Node, Master Node and 2 Slave Nodes). I am trying to follow the link mentioned below to setup SSL between different hadoop services.
i want to use the option of Creating and Setting internal CA repository(openssl). I have created the key and certificate for each node in cluster(including edge node).I am finding to hard to understand that where should i be keeping the truststore and keystore across different machines of the cluster? Shall i put it only on Namenode only or all node? Will Edge Node be part of setting up this SSL?
Please suggest the way to setup SSL in case of MultiNode Cluster?
Created ‎02-25-2017 04:50 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can follow the article that I have published few days ago. https://community.hortonworks.com/articles/52875/enable-https-for-hdfs.html
Please let me know if you have any questions.
Created ‎02-21-2017 02:44 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thoughts?
Created ‎02-25-2017 02:08 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @rahul gulati,
Here's what you need to do:
1. Set up your own CA using openssl
2. On each Hadoop service node (NN, DN, YARN RM, NM etc.) :
a. generate a key pair into 'server-keystore.jks' and export public cert into file
b. Get this public cert signed by CA keys
c. Import the signed-cert back into 'server-keystore.jks'
d. Import CA's public cert into a new 'server-truststore.jks'
3. On each edge node (where only Hadoop clients are supposed to run):
a. Import CA's public cert into a new 'client-truststore.jks'
Above should give you a fair idea of what should go where. Mind you, this only covers SSL infrastructure. This is assuming that you will do the rest of the Hadoop SSL configuration along with these.
Hope this helps!
Created ‎02-25-2017 04:50 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can follow the article that I have published few days ago. https://community.hortonworks.com/articles/52875/enable-https-for-hdfs.html
Please let me know if you have any questions.
Created ‎02-25-2017 03:51 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I followed the same link. I want to get my cert signed by own CA. so i was trying to follow the step 1. but i was not getting sure where should i run each each step(1-7) in case of 4 node cluster.(Edge, Namenode and 2 slave nodes)?
Created ‎02-26-2017 05:54 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For self signed cert - in step1 I have mentioned a block "If it is self signed cert" to create the cert. you need to create 2 different certs/keystore files for each Namenode. remaining steps you will be configuring at the service level - so number of nodes does not matter.
For example:
In NN1 host:
- keytool -genkey -keyalg RSA -alias NNHOST1 -keystore /tmp/keystore.jks -storepass bigdata -validity 360-keysize 2048
In NN2 host:
- keytool -genkey -keyalg RSA -alias NNHOST2 -keystore /tmp/keystore.jks -storepass bigdata -validity 360-keysize 2048
Create common trustore.
Run
In NN1 HOST:
keytool -v -importkeystore -srckeystore /tmp/keystore.jks -srcalias NNHOST1 -destkeystore truststore.jks
Now copy above create Truststore to NN2 HOST
keytool -v -importkeystore -srckeystore /tmp/keystore.jks -srcalias NNHOST2 -destkeystore truststore.jks
Now truststore has both certs - so copy this truststore to all the nodes (including NN1 host as well). configure the truststore path as mentioned int he article.
Created ‎02-26-2017 06:00 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. If it is to be signed by self created CA or external CA then could you help in listing the steps for the same?
Thanks
Created ‎02-26-2017 06:17 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought I have covered all the steps in the article. The only different for self signed and CA signed is STEP1 - so both mentioned there. for CA signed cert CA signing would provide you their root CA so that it can trust all their certs
