Converting Between Key and Trust Store Formats
Describes enhancements to the manageSSLKeys.sh convert
command to
enable the conversion of key and trust stores from JKS to BCFKS format or vice
versa.
Release 7.0.0 enhanced the
convert
command in the
${MAPR_HOME}/server/manageSSLKeys.sh
utility to support the conversion of
key and trust stores from JKS to BCFKS format and vice versa. Key- and trust-store conversion
is required if you configure mixed clusters containing both FIPS and non-FIPS enabled nodes.
For example: - Adding a secure non-FIPS node to an existing cluster consisting of only FIPS-enabled nodes.
- Adding a FIPS-enabled node to an existing cluster consisting of only secure non-FIPS enabled nodes.
The node being added can be a server node, such as a CLDB, MFS-only, or another server or
client node. Since the JKS store type is not supported on FIPS-enabled node, this command must
be run on a secure non-FIPS node.
- If you are adding a secure non-FIPS node to an existing cluster
consisting of only FIPS-enabled nodes, copy the BCFKS key or trust store from the
${MAPR_HOME}/conf
directory of the FIPS-enabled node to a temporary location in the secure non-FIPS node. Do so before running themanageSSLKeys.sh convert
command. Specify the destination location as${MAPR_HOME}/conf/<store>
in themanageSSLKeys.sh convert
command so that the newly converted JKS key or trust store is written to the${MAPR_HOME}/conf
directory. - If you are adding a FIPS-enabled node to an existing cluster consisting of only secure
non-FIPS-enabled nodes, the source JKS-format key or trust store already exists in the
${MAPR_HOME}conf
directory of the secure non-FIPS node. It can then be used directly as the source file inmanageSSLKeys.sh convert
. There is no need to copy it. After the key/trust store is converted to BCFKS format, copy the newly converted BCFKS key/trust store from the temporary location in the secure non-FIPS enabled node to the${MAPR_HOME}/conf
directory of the FIPS enabled node.
After the converted JKS (for secure non-FIPS) or BCFKS (for FIPS) is added to the
${MAPR_HOME}/conf
directory, run configure.sh
with the
-storepasswds
parameter to generate the credential stores and complete the
configuration. This process is described in greater detail in Enabling Security on a Configured Cluster.
The basic syntax for the
manageSSLKeys.sh convert
command with new arguments
in bold face is shown below./opt/mapr/server/manageSSLKeys.sh convert \
[-N <clustername> ] [-k] [-n] [-p <passwd>]
[-srcType JKS|bcfks|pkcs12] [-dstType JKS|bcfks|pkcs12]
<in key/trust store> <out key/trust store>
Conversion between JKS and BCFKS key and trust stores require the arguments listed in the
table below.
Parameter | Description |
---|---|
-p <passwd> |
The password for the source key or trust store. The destination key or trust store is set to the same password. |
-srcType |
The type of the source key or trust store. Supported types for conversion are
JKS or bcfks . The value of the
-srcType argument must be different from the
-dstType argument. That is, if the -srcType is
JKS , then the -dstType should be
bcfks , and vice versa. |
-dstType
|
The type of the destination key or trust store. Supported types for conversion
are JKS or bcfks . The value of the
-dstType argument must be different from the
-srcType argument. For example, if the -dstType
is JKS , then the -srcType should be
bcfks , and vice versa. |
In key/trust store |
Full or relative path name of the source key or trust store to convert from. This store must exist. |
Out key/trust store |
Full or relative path name of the destination key or trust store which holds the same contents as the source key or trust store but in a different store format. If this file does not exist, it is created. If the file already exists, the contents are overwritten. |
Example: Converting JKS to BCFKS Store
The following example converts the JKS trust store in
/opt/mapr/conf/ssl_truststore
to BCFKS format, and places the BCFKS trust
store in ssl_truststore.bcfks
in the current directory. This conversion is
the case if you are adding a FIPS-enabled node to a cluster containing only secure non-FIPS
nodes. Upon successful creation of the BCFKS key or trust store, copy it to the FIPS-enabled
node before running configure.sh
on that node to complete the
configuration. # /opt/mapr/server/manageSSLKeys.sh convert \
-p BrqLhVcjGmYo8y5_qABS6YZetRpKfpqB \
-srcType JKS \
-dstType bcfks \
/opt/mapr/conf/ssl_truststore \
ssl_truststore.bcfks
Verify that the BCFKS trust store is correctly
converted by verifying that both source JKS and destination BCFKS trust stores have the same
contents with the same fingerprints.
# keytool -list -keystore /opt/mapr/conf/ssl_truststore -storepass BrqLhVcjGmYo8y5_qABS6YZetRpKfpqB
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
hpe186.cluster.com, Dec 13, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): C8:60:B3:AB:79:FC:6E:E0:4D:5E:32:92:A3:16:04:01:38:D3:38:D5:5A:08:80:F4:A6:ED:AE:12:AB:F5:10:AE
hpe186.cluster.com-root-ca-chain, Dec 13, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 3F:3B:2A:C7:CC:2D:F0:50:20:97:E0:DD:61:4E:CF:C8:F0:D6:DC:E2:A1:04:99:1F:39:71:67:93:AD:01:01:DD
hpe186.cluster.com-root-signing-ca, Dec 13, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 61:C6:0E:12:18:20:D6:E6:79:78:32:A4:4C:18:AA:80:9E:84:DC:F1:CF:ED:6F:E2:60:6C:62:9B:81:B8:78:7F
$ keytool -list -keystore /root/ssl_truststore.bcfks -storepass BrqLhVcjGmYo8y5_qABS6YZetRpKfpqB -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar -providername BCFIPS -storetype bcfks Keystore type: BCFKS
Keystore provider: BCFIPS
Your keystore contains 3 entries
hpe186.cluster.com, Dec 14, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): C8:60:B3:AB:79:FC:6E:E0:4D:5E:32:92:A3:16:04:01:38:D3:38:D5:5A:08:80:F4:A6:ED:AE:12:AB:F5:10:AE
hpe186.cluster.com-root-ca-chain, Dec 14, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 3F:3B:2A:C7:CC:2D:F0:50:20:97:E0:DD:61:4E:CF:C8:F0:D6:DC:E2:A1:04:99:1F:39:71:67:93:AD:01:01:DD 13hpe186.cluster.com-root-signing-ca, Dec 14, 2021, trustedCertEntry, 14Certificate fingerprint (SHA-256): 61:C6:0E:12:18:20:D6:E6:79:78:32:A4:4C:18:AA:80:9E:84:DC:F1:CF:ED:6F:E2:60:6C:62:9B:81:B8:78:7F
Example: Converting BCFKS to JKS Store
The following example converts the BCFKS trust store to JKS format when adding a secure
non-FIPS node to a cluster containing only FIPS-enabled nodes. Only secure non-FIPS nodes
can support both the JKS and BCFKS store formats. First, copy the BCFKS store from the
FIPS-enabled node to a temporary directory in the secure non-FIPS node. Upon successful
creation of the JKS key or trust store, run
configure.sh
to complete the
configuration.# /opt/mapr/server/manageSSLKeys.sh convert \
-p 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4 \
-srcType bcfks \
-dstType JKS \
ssl_truststore.bcfks \
/opt/mapr/conf/ssl_truststore
Verify that the JKS trust store is correctly
converted by verifying that both source BCFKS and destination JKS trust stores have the same
contents with the same fingerprints.
# keytool -list -keystore ssl_truststore.bcfks \
-storepass 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4 \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS -storetype bcfks
Keystore type: BCFKS
Keystore provider: BCFIPS
Your keystore contains 3 entries
fips0.cluster.com, Dec 14, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 8B:37:56:29:F4:09:67:9C:A3:FB:AA:5F:7C:84:7F:AB:6F:45:31:18:B6:55:26:54:90:AC:8A:60:5C:91:B1:E1
fips0.cluster.com-root-ca-chain, Dec 14, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 3B:57:F2:A7:01:44:27:AC:C9:22:74:D8:2E:A7:F4:3C:8F:6F:56:E5:73:0B:1D:51:9B:82:0F:DA:77:1D:06:E6
fips0.cluster.com-root-signing-ca, Dec 14, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 65:C6:83:B2:8D:0B:CE:98:B9:1A:08:06:B4:78:5F:A9:31:BC:42:F5:A9:83:91:F2:0E:35:C4:B2:B9:59:48:07
# keytool -list -keystore /opt/mapr/conf/ssl_truststore \
-storepass 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
fips0.cluster.com, Dec 15, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 8B:37:56:29:F4:09:67:9C:A3:FB:AA:5F:7C:84:7F:AB:6F:45:31:18:B6:55:26:54:90:AC:8A:60:5C:91:B1:E1
fips0.cluster.com-root-ca-chain, Dec 15, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 3B:57:F2:A7:01:44:27:AC:C9:22:74:D8:2E:A7:F4:3C:8F:6F:56:E5:73:0B:1D:51:9B:82:0F:DA:77:1D:06:E6
fips0.cluster.com-root-signing-ca, Dec 15, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 65:C6:83:B2:8D:0B:CE:98:B9:1A:08:06:B4:78:5F:A9:31:BC:42:F5:A9:83:91:F2:0E:35:C4:B2:B9:59:48:07
[root@m2-mapreng-vm167186 ~]# keytool -list -keystore /opt/mapr/conf/ssl_truststore -storepass 4hmQRWSpkMj0oWNT_0UEa_kD9djXpgb4
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
fips0.cluster.com, Dec 15, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 8B:37:56:29:F4:09:67:9C:A3:FB:AA:5F:7C:84:7F:AB:6F:45:31:18:B6:55:26:54:90:AC:8A:60:5C:91:B1:E1
fips0.cluster.com-root-ca-chain, Dec 15, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 3B:57:F2:A7:01:44:27:AC:C9:22:74:D8:2E:A7:F4:3C:8F:6F:56:E5:73:0B:1D:51:9B:82:0F:DA:77:1D:06:E6
fips0.cluster.com-root-signing-ca, Dec 15, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 65:C6:83:B2:8D:0B:CE:98:B9:1A:08:06:B4:78:5F:A9:31:BC:42:F5:A9:83:91:F2:0E:35:C4:B2:B9:59:48:07