Merging Trust Stores
Use the manageSSLKeys.sh merge
command to merge two trust stores. This
operation is required if you configure cross-cluster connectivity for server nodes or for client
nodes that connect to multiple clusters.
Parameters for the
manageSSLKeys.sh merge
command are as shown
below./opt/mapr/server/manageSSLKeys.sh merge \
<in trust store> <out trust store> [inPassword [outPassword]]
The following table describes each
manageSSLKeys.sh merge
parameter:Parameter | Description |
---|---|
In trust store |
The input trust store for the destination cluster. Before running the command, copy the trust store from the destination cluster to a file in the current cluster. |
Out trust store |
The output trust store for the current cluster. This is typically
/opt/mapr/conf/ssl_truststore.bcfks for FIPS-enabled nodes or
/opt/mapr/conf/ssl_truststore for secure non-FIPS nodes. |
inPassword |
The password for in trust store or the path to a file
containing the password. |
outPassword |
The password for out trust store or the path to a file
containing the password. |
The following example shows how to use the
manageSSLKeys.sh merge
command.
Before merging the trust stores, note the two certificates: one for the root CA and the other
for the server
certificate.# keytool -list -keystore /opt/mapr/conf/ssl_truststore.bcfks \
-storepass eEJz0u2_Bmp46UrH_gH90rjjqT_LJu0u \
-storetype bcfks \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS
Keystore type: BCFKS
Keystore provider: BCFIPS
Your keystore contains 2 entries
fips0.cluster.com, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 09:D6:4C:9C:2A:E7:B3:81:65:1B:C4:B2:90:29:FD:DF:79:F5:B8:DD:76:24:64:B9:54:43:1C:B1:07:79:72:B9
fips0.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): D3:88:9C:92:E8:A4:AA:C2:20:6B:B2:13:32:6C:BC:B4:40:E4:0C:6C:34:B1:43:DA:1D:44:BC:2C:48:28:60:1C
First copy the trust store for the other cluster to a location in the directory path. Use the
keytool
command to verify the contents of the trust store to be merged. You
will need the trust store password of the remote
cluster.# keytool -list -keystore ssl_truststore.bcfks.fips1 \
-storepass xjxL_K9qfrbsfH6TSscizoSiFSVMLECg \
-storetype bcfks \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS
Keystore type: BCFKS
Keystore provider: BCFIPS
Your keystore contains 2 entries
fips1.cluster.com, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): BD:BB:7B:C2:2F:2E:C7:26:7E:D2:BF:DF:CA:8B:CA:D5:2A:01:7C:CC:4D:46:45:22:7C:98:07:9A:51:80:21:EB
fips1.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 46:45:28:69:73:CB:10:06:42:B9:9C:55:F2:44:0F:70:4D:A2:1D:8B:20:45:17:C4:47:D0:51:F8:30:74:7D:9A
Next merge the trust stores. In this example,
ssl_truststore.bcfks.fips1
is
the trust store for the remote cluster to be
connected.# /opt/mapr/server/manageSSLKeys.sh merge \
ssl_truststore.bcfks.fips1 /opt/mapr/conf/ssl_truststore.bcfks \
xjxL_K9qfrbsfH6TSscizoSiFSVMLECg \
eEJz0u2_Bmp46UrH_gH90rjjqT_LJu0u
Merging certificates from ssl_truststore.bcfks.fips1 into existing /opt/mapr/conf/ssl_truststore.bcfks
After the command completes successfully, use the
keytool
command to verify
that the trust stores are successfully
merged.# keytool -list -keystore ssl_truststore.bcfks \
-storepass eEJz0u2_Bmp46UrH_gH90rjjqT_LJu0u \
-storetype bcfks \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS
Keystore type: BCFKS
Keystore provider: BCFIPS
Your keystore contains 4 entries
fips0.cluster.com, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 09:D6:4C:9C:2A:E7:B3:81:65:1B:C4:B2:90:29:FD:DF:79:F5:B8:DD:76:24:64:B9:54:43:1C:B1:07:79:72:B9
fips0.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): D3:88:9C:92:E8:A4:AA:C2:20:6B:B2:13:32:6C:BC:B4:40:E4:0C:6C:34:B1:43:DA:1D:44:BC:2C:48:28:60:1C
fips1.cluster.com, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): BD:BB:7B:C2:2F:2E:C7:26:7E:D2:BF:DF:CA:8B:CA:D5:2A:01:7C:CC:4D:46:45:22:7C:98:07:9A:51:80:21:EB
fips1.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 46:45:28:69:73:CB:10:06:42:B9:9C:55:F2:44:0F:70:4D:A2:1D:8B:20:45:17:C4:47:D0:51:F8:30:74:7D:9A