Password Protection with the Hadoop Credential Provider API
This section describes the credential stores on FIPS-enabled and secure non-FIPS-enabled hosts.
The previous section shows how distinct key and trust store passwords are stored on a
non-secure host. On a secure host, the passwords are encrypted, and the passwords no longer
appear in the Hadoop configuration files (ssl-client.xml and
ssl-server.xml). They are stored in the credential stores and protected
using the Hadoop Credential Provider API.
Credential Stores on a FIPS-Enabled Host
On a FIPS-enabled host, the credential stores are in BCFKS format.
- Key Store Passwords
- The key store passwords are encrypted in the BCFKS key credential store:
${MAPR_HOME}/conf/maprkeycreds.bcfks. To view the list of aliases in the BCFKS key credential store:hadoop credential list -provider \ localbcfks://file/opt/mapr/conf/maprkeycreds.bcfks ssl.server.keystore.password ssl.server.keystore.keypassword ssl.client.keystore.password ssl.client.keystore.keypassword - Trust Store Passwords
- The trust store passwords are encrypted in the BCFKS trust credential store:
${MAPR_HOME}/conf/maprtrustcreds.bcfks. To view the aliases in the BCFKS trust credential store:
If you omit thehadoop credential list -provider \ localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks ssl.server.truststore.password ssl.client.truststore.password-provideroption, thehadoop credential listcommand returns the aliases for the trust store passwords by default, since they are configured incore-site.xml. You must specify the-providerargument only if you want to view the aliases in the key store. - Key and Trust Store Providers
- The Hadoop
${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/core-site.xmlis configured with the BCFKS key and trust store providers:<configuration> <property> <name>hadoop.security.credential.provider.path</name> <value>localbcfks://file/opt/mapr/conf/maprkeycreds.bcfks,localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks</value> <description>Location of key and trust store credential file</description> </property> </configuration>
Credential Stores on a Non-FIPS-Enabled Host
On a non-FIPS-enabled host, the credential stores are in JCEKS format.
- Key Store Passwords
- The key store passwords are encrypted in the JCEKS key credential store:
${MAPR_HOME}/conf/maprkeycreds.jceks. To view the list of aliases in the JCEKS key credential store:hadoop credential list -provider \ localjceks://file/opt/mapr/conf/maprkeycreds.jceks ssl.server.keystore.password ssl.server.keystore.keypassword ssl.client.keystore.password ssl.client.keystore.keypassword - Trust Store Passwords
- The trust store passwords are encrypted in the JCEKS trust credential store:
${MAPR_HOME}/conf/maprtrustcreds.jceks. To view the aliases in the JCEKS trust credential store:
If you omit thehadoop credential list -provider \ localjceks://file/opt/mapr/conf/maprtrustcreds.jceks ssl.server.truststore.password ssl.client.truststore.password-provideroption, thehadoop credential listcommand returns aliases for trust store passwords by default since they are configured incore-site.xml. Specify the-providerargument only to view aliases in the key store. - Key and Trust Store Providers
- The Hadoop
${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/core-site.xmlis configured with the JCEKS key and trust store providers:<configuration> <property> <name>hadoop.security.credential.provider.path</name> <value>localjceks://file/opt/mapr/conf/maprkeycreds.jceks,localjceks://file/opt/mapr/conf/maprtrustcreds.jceks</value> <description>Location of key and trust store credential file</description> </property> </configuration>