Setting Up a KeyStore and TrustStore for HTTP Encryption
A KeyStore is a database or repository of keys and certificates that are used for a variety of purposes, including authentication, encryption, or data integrity. In general, a KeyStore contains information of two types: key entries and trusted certificates.
I have already discussed how to configure your Hadoop cluster with network encryption in Chapter 4’s “Encrypting HTTP Communication” section. As a part of that set up, you need to create HTTPS certificates and KeyStores.
Create HTTPS Certificates and KeyStore/TrustStore Files
To create HTTPS certificates and KeyStores, you need to perform the following steps:
$ cd $SKEYLOC
$ keytool -genkey -alias pract_hdp_sec -keyalg RSA -keysize 1024 –dname "CN=pract_hdp_sec,OU=IT,O=Ipsos,L=Chicago,ST=IL,C=us" -keypass 12345678 -keystore phsKeyStore1 -storepass 87654321
$ keytool -genkey -alias pract_hdp_sec2 -keyalg RSA -keysize 1024 -dname "CN=pract_hdp_sec2,OU=IT,O=Ipsos,L=Chicago,ST=IL,C=us" -keypass 56781234 -keystore phsKeyStore2 –storepass 43218765
This code generates two key pairs (a public key and associated private key for each) and single-element certificate chain, stored as entry pract_hdp_sec in KeyStore phsKeyStore1 and entry pract_hdp_sec2 in KeyStore phsKeyStore2, respectively. Notice the use of the RSA algorithm for public key encryption and the key length of 1024.
$cd $SKEYLOC;
$keytool -export -alias pract_hdp_sec -keystore phsKeyStore1 -rfc -file pract_hdp_sec_cert -storepass 87654321
$keytool -export -alias pract_hdp_sec2 -keystore phsKeyStore2 -rfc -file pract_hdp_sec2_cert -storepass 43218765
$cd $SKEYLOC;
$keytool -import -noprompt -alias pract_hdp_sec -file pract_hdp_sec_cert -keystore phsTrustStore1 -storepass 4324324
$keytool -import -noprompt -alias pract_hdp_sec2 -file pract_hdp_sec2_cert -keystore phsTrustStore1 -storepass 4324324
Note that the TrustStore file is newly created in case it doesn’t exist.
$scp phsKeyStore1 phsTrustStore1 root@pract_hdp_sec:/etc/hadoop/conf/
$scp phsKeyStore2 phsTrustStore2 root@pract_hdp_sec2:/etc/hadoop/conf/
$keytool -list -v -keystore phsTrustStore1 -storepass 4324324
Adjust Permissions for KeyStore/TrustStore Files
The Keystore files need to have read permissions for owner and group only, and the group should be set to hadoop. The Truststore files should have read permissions for every one (owner, group, and others). The following commands set this up:
$ssh root@pract_hdp_sec "cd /etc/hadoop/conf;chgrp hadoop phsKeyStore1;
chmod 0440 phsKeyStore1;chmod 0444 phsTrustStore1
$ssh root@pract_hdp_sec2 "cd /etc/hadoop/conf;chgrp hadoop phsKeyStore2;
chmod 0440 phsKeyStore2;chmod 0444 phsTrustStore2
If need be, you can generate public key certificates to install in your browser. This completes the setup of a KeyStore and TrustStore for HTTP encryption.