Changing Key and Trust Store Passwords

Change key and trust store passwords by using the ${MAPR_HOME}/server/manageSSLKeys utility.

Release 7.0.0 added a new changepassword command to the ${MAPR_HOME}/server/manageSSLKeys utility. The existing copywithconfiguredpassword and createrandompassword commands remain for upgrade purposes but are deprecated starting with release 7.0.0.

To change the key store password, you must provide the current key store password with the -k option. To change the trust store password, you must provide the current trust store password with the -t option. To set the new user-selectable password, use the -kp or -tp option. Otherwise, a random password is created. Note that you must pair the -kp and/or -tp options with the -k and/or -t options, respectively. For example:
# /opt/mapr/server/manageSSLKeys.sh changepassword  \ 
                      -k 8zVMhs8RtLDXpnTTIBqQkt_q_pFFV3I_ \ 
                      -t 5eqHoTrLRaiev6dwxJhfzm3qpPqW_0J2 
To change the password:
  1. Run the manageSSLKeys.sh changepassword command on the first node in the cluster. Running the command creates a directory under /tmp, with new password files and a script. A new store-passwords.txt is also created in this directory. It is a best practice to keep the passwords in this file and delete store-passwords.txt from the /tmp directory.
  2. Stop ZooKeeper and Warden on all nodes in the cluster.
  3. Distribute the above directory to all nodes in the cluster.
    NOTE
    Instead of distributing the directory to all nodes in the cluster, run the manageSSLKeys.sh changepassword command used in step 1 on each node. This option eliminates file type and format issues in a cluster on both FIPS and non-FIPS nodes.
  4. On each node in the cluster, make sure they have the correct ownership and permissions, and then run copyPasswordFiles.sh from this directory.
  5. Run configure.sh -R on all nodes to allow all services to update their configuration.
  6. Start ZooKeeper and Warden on all nodes in the cluster.

The security-file type and format are different on FIPS- and non-FIPS-enabled nodes. You cannot copy the modified passwords across FIPS to non-FIPS or vice versa. To change a password with both FIPS and non-FIPS nodes in a cluster, run the procedure twice: once on the FIPS node and once on the non-FIPS node. Only copy the generated files to, and run the script on, nodes with the same FIPS or non-FIPS type.