Changing Key and Trust Store Passwords
Change key and trust store passwords by using the
${MAPR_HOME}/server/manageSSLKeys
utility.
Release 7.0.0 added a new changepassword
command to the
${MAPR_HOME}/server/manageSSLKeys
utility. The existing
copywithconfiguredpassword
and createrandompassword
commands remain for upgrade purposes but are deprecated starting with release 7.0.0.
-k
option. To change the trust store password, you must provide the current
trust store password with the -t
option. To set the new user-selectable
password, use the -kp
or -tp
option. Otherwise, a random
password is created. Note that you must pair the -kp
and/or
-tp
options with the -k
and/or -t
options, respectively. For
example:# /opt/mapr/server/manageSSLKeys.sh changepassword \
-k 8zVMhs8RtLDXpnTTIBqQkt_q_pFFV3I_ \
-t 5eqHoTrLRaiev6dwxJhfzm3qpPqW_0J2
- Run the
manageSSLKeys.sh changepassword
command on the first node in the cluster. Running the command creates a directory under/tmp
, with new password files and a script. A newstore-passwords.txt
is also created in this directory. It is a best practice to keep the passwords in this file and deletestore-passwords.txt
from the/tmp
directory. - Stop ZooKeeper and Warden on all nodes in the cluster.
- Distribute the above directory to all nodes in the cluster.NOTEInstead of distributing the directory to all nodes in the cluster, run the
manageSSLKeys.sh changepassword
command used in step 1 on each node. This option eliminates file type and format issues in a cluster on both FIPS and non-FIPS nodes. - On each node in the cluster, make sure they have the correct ownership and permissions,
and then run
copyPasswordFiles.sh
from this directory. - Run
configure.sh -R
on all nodes to allow all services to update their configuration. - Start ZooKeeper and Warden on all nodes in the cluster.
The security-file type and format are different on FIPS- and non-FIPS-enabled nodes. You cannot copy the modified passwords across FIPS to non-FIPS or vice versa. To change a password with both FIPS and non-FIPS nodes in a cluster, run the procedure twice: once on the FIPS node and once on the non-FIPS node. Only copy the generated files to, and run the script on, nodes with the same FIPS or non-FIPS type.