Key and Trust Store Password Protection
This section describes how keystore and truststore passwords are protected.
Password Protection in Release 6.2.0 and Earlier Releases
In release 6.2.0 and earlier releases of the HPE Ezmeral Data Fabric,
key and trust store passwords are stored in clear text in the Hadoop
ssl-server.xml
and ssl-client.xml
configuration files.
They are the same for both key and trust stores. The following example shows how the
passwords (in boldface) are configured in
${MAPR_HOME}/
hadoop/
hadoop-
${HADOOP_VERSION}/
etc/hadoop/
ssl-server.xml
.
<configuration>
...
<property>
<name>ssl.server.truststore.password</name>
<value>AB8F93FAA45393F84BD358d0</value>
<description>Optional. Default value is "".
</description>
</property>
...
<property>
<name>ssl.server.keystore.password</name>
<value>AB8F93FAA45393F84BD358d0</value>
<description>Must be specified.
</description>
</property>
<property>
<name>ssl.server.keystore.keypassword</name>
<value>AB8F93FAA45393F84BD358d0</value>
<description>Must be specified.
</description>
</property>
...
</configuration>
Key store protection for release 6.2.0 and earlier is by file permissions. There is no protection for trust store passwords since the file permissions are world readable. Using the same password for both key and trust stores is undesirable. Key stores contain sensitive private keys that should be made available only to server applications that need them. Trust stores contain certificates that should be made available to server and client applications.
=Password Protection in Release 7.0.0 and Later
In release 7.0.0, distinct passwords are generated: One for the key store and one for the trust store. Note that the key store password (used to protect the entire keystore) and key store key password (used to protect the keys in the keystore) are the same. Many applications expect them to be the same, especially for P12 key stores.
${MAPR_HOME}/hadoop/
hadoop-
${HADOOP_VERSION}/
etc/hadoop/ssl-server.xml
in a non-secure installation. (In secure installations, the clear-text passwords are removed
from these configuration files and kept in the Hadoop Credentials
stores.)<configuration>
...
<property>
<name>ssl.server.truststore.password</name>
<value>895FA43FE91344DB98/_K35</value>
<description>Optional. Default value is "".
</description>
</property>
...
<property>
<name>ssl.server.keystore.password</name>
<value>AB8F93FAA45393F84BD358d0</value>
<description>Must be specified.
</description>
</property>
<property>
<name>ssl.server.keystore.keypassword</name>
<value>AB8F93FAA45393F84BD358d0</value>
<description>Must be specified.
</description>
</property>
...
</configuration>