Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Setting up SSL between different HDP components

Explorer

I am trying to setup SSL for HDFS on 4 Node cluster(Edge Node, Master Node and 2 Slave Nodes). I am trying to follow the link mentioned below to setup SSL between different hadoop services.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Security_Guide/content/create-internal-c...

i want to use the option of Creating and Setting internal CA repository(openssl). I have created the key and certificate for each node in cluster(including edge node).I am finding to hard to understand that where should i be keeping the truststore and keystore across different machines of the cluster? Shall i put it only on Namenode only or all node? Will Edge Node be part of setting up this SSL?

Please suggest the way to setup SSL in case of MultiNode Cluster?

1 ACCEPTED SOLUTION

@rahul gulati

You can follow the article that I have published few days ago. https://community.hortonworks.com/articles/52875/enable-https-for-hdfs.html

Please let me know if you have any questions.

View solution in original post

7 REPLIES 7

Explorer

@Jay SenSharma

Thoughts?

Guru

Hello @rahul gulati,

Here's what you need to do:

1. Set up your own CA using openssl

2. On each Hadoop service node (NN, DN, YARN RM, NM etc.) :

a. generate a key pair into 'server-keystore.jks' and export public cert into file

b. Get this public cert signed by CA keys

c. Import the signed-cert back into 'server-keystore.jks'

d. Import CA's public cert into a new 'server-truststore.jks'

3. On each edge node (where only Hadoop clients are supposed to run):

a. Import CA's public cert into a new 'client-truststore.jks'

Above should give you a fair idea of what should go where. Mind you, this only covers SSL infrastructure. This is assuming that you will do the rest of the Hadoop SSL configuration along with these.

Hope this helps!

@rahul gulati

You can follow the article that I have published few days ago. https://community.hortonworks.com/articles/52875/enable-https-for-hdfs.html

Please let me know if you have any questions.

Explorer

@apappu

I followed the same link. I want to get my cert signed by own CA. so i was trying to follow the step 1. but i was not getting sure where should i run each each step(1-7) in case of 4 node cluster.(Edge, Namenode and 2 slave nodes)?

@rahul gulati

For self signed cert - in step1 I have mentioned a block "If it is self signed cert" to create the cert. you need to create 2 different certs/keystore files for each Namenode. remaining steps you will be configuring at the service level - so number of nodes does not matter.

For example:

In NN1 host:

  1. keytool -genkey -keyalg RSA -alias NNHOST1 -keystore /tmp/keystore.jks -storepass bigdata -validity 360-keysize 2048

In NN2 host:

  1. keytool -genkey -keyalg RSA -alias NNHOST2 -keystore /tmp/keystore.jks -storepass bigdata -validity 360-keysize 2048

Create common trustore.

Run

In NN1 HOST:

keytool -v -importkeystore -srckeystore /tmp/keystore.jks -srcalias NNHOST1 -destkeystore truststore.jks

Now copy above create Truststore to NN2 HOST

keytool -v -importkeystore -srckeystore /tmp/keystore.jks -srcalias NNHOST2 -destkeystore truststore.jks

Now truststore has both certs - so copy this truststore to all the nodes (including NN1 host as well). configure the truststore path as mentioned int he article.

Explorer
@apappu

Thanks for the reply. If it is to be signed by self created CA or external CA then could you help in listing the steps for the same?

Thanks

@rahul gulati

I thought I have covered all the steps in the article. The only different for self signed and CA signed is STEP1 - so both mentioned there. for CA signed cert CA signing would provide you their root CA so that it can trust all their certs