A KeyStore is a database or repository of keys and certificates that are used for a variety of purposes, including authentication, encryption, or data integrity. In general, a KeyStore contains information of two types: key entries and trusted certificates.

I have already discussed how to configure your Hadoop cluster with network encryption in Chapter 4’s “Encrypting HTTP Communication” section. As a part of that set up, you need to create HTTPS certificates and KeyStores.

Create HTTPS Certificates and KeyStore/TrustStore Files

To create HTTPS certificates and KeyStores, you need to perform the following steps:

1. For each host, create a directory for storing the KeyStore and TrustStore at SKEYLOC (you can substitute the directory name of your liking).
2. For each host, create a key pair and a separate KeyStore. If your operating system command prompt is $, you have set the SKEYLOC directory parameter, and assuming an example of a two-node cluster with hosts pract_hdp_sec and pract_hdp_sec2, the necessary code would look like the following:

   $ cd $SKEYLOC
   
   $ keytool -genkey -alias pract_hdp_sec -keyalg RSA -keysize 1024 –dname "CN=pract_hdp_sec,OU=IT,O=Ipsos,L=Chicago,ST=IL,C=us" -keypass 12345678    -keystore phsKeyStore1 -storepass 87654321
   
   $ keytool -genkey -alias pract_hdp_sec2 -keyalg RSA -keysize 1024 -dname "CN=pract_hdp_sec2,OU=IT,O=Ipsos,L=Chicago,ST=IL,C=us" -keypass 56781234     -keystore phsKeyStore2 –storepass 43218765

   This code generates two key pairs (a public key and associated private key for each) and single-element certificate chain, stored as entry pract_hdp_sec in KeyStore phsKeyStore1 and entry pract_hdp_sec2 in KeyStore phsKeyStore2, respectively. Notice the use of the RSA algorithm for public key encryption and the key length of 1024.

3. For each host, export the certificate’s public key to a separate certificate file:

   $cd $SKEYLOC;
   $keytool -export -alias pract_hdp_sec -keystore phsKeyStore1 -rfc -file pract_hdp_sec_cert -storepass 87654321
   $keytool -export -alias pract_hdp_sec2 -keystore phsKeyStore2 -rfc -file pract_hdp_sec2_cert -storepass 43218765

4. For all the hosts, import the certificates into TrustStore file:

   $cd $SKEYLOC;
   $keytool -import -noprompt -alias pract_hdp_sec -file pract_hdp_sec_cert -keystore phsTrustStore1 -storepass 4324324
   $keytool -import -noprompt -alias pract_hdp_sec2 -file pract_hdp_sec2_cert -keystore phsTrustStore1 -storepass 4324324

   Note that the TrustStore file is newly created in case it doesn’t exist.

5. Copy the KeyStore and TrustStore files to the corresponding nodes:

   $scp phsKeyStore1 phsTrustStore1 root@pract_hdp_sec:/etc/hadoop/conf/
   $scp phsKeyStore2 phsTrustStore2 root@pract_hdp_sec2:/etc/hadoop/conf/

6. Validate the common TrustStore file:

   $keytool -list -v -keystore phsTrustStore1 -storepass 4324324

Adjust Permissions for KeyStore/TrustStore Files

The Keystore files need to have read permissions for owner and group only, and the group should be set to hadoop. The Truststore files should have read permissions for every one (owner, group, and others). The following commands set this up:

$ssh root@pract_hdp_sec "cd /etc/hadoop/conf;chgrp hadoop phsKeyStore1;
chmod 0440 phsKeyStore1;chmod 0444 phsTrustStore1

$ssh root@pract_hdp_sec2 "cd /etc/hadoop/conf;chgrp hadoop phsKeyStore2;
chmod 0440 phsKeyStore2;chmod 0444 phsTrustStore2

If need be, you can generate public key certificates to install in your browser. This completes the setup of a KeyStore and TrustStore for HTTP encryption.