Using Custom Signed Certificates with Object Store
Describes how to run the HPE Ezmeral Data Fabric Object Store using custom certificates rather than the default self-signed certificates provided during installation.
Default installations of the HPE Ezmeral Data Fabric use encrypted,
self-signed certificates to enable SSL communication. For example, the following certificates
are created and self-signed by the manageSSLKeys.sh tool:
*With Data Fabric 7.0.0.5 and later, the
Certificate File | Store Location* |
---|---|
public.crt |
/opt/mapr/conf/ssl_usertruststore.p12 |
private.key |
/opt/mapr/conf/ssl_userkeystore.p12 |
public.crt
and private.key
are no longer available, but
the self-signed certificates are created if your installation needs them.If your environment does not permit self-signed certificates, or if you prefer to generate your own certificates rather than use the default certificates, you must use one of the following options.
Alternatives to Using the HPE-Provided Certificates
If you do not want to use the default self-signed certificates, you have two options:
- Option 1: Obtain a public certificate and private key from a well-known
certificate authority, such as Verisign or Comodo. Then replace the default
public.crt
andprivate.key
files with the new public certificate and private key. If you choose Option 1, you must perform only steps 6 and later in the following procedures - Option 2: Generate your own self-signed certificates to replace the
public.crt
andprivate.key
files provided in the default installation. If you choose Option 2, perform all steps in the following procedure.
IMPORTANT
This procedure is valid only for clusters running
Data Fabric 7.0.0.5 or later.Generating Your Own Self-Signed Certificates
Use this procedure to generate your own self-signed certificates if your installation has Data Fabric 7.0.0.5 or later:- Use the OpenSSL utility to create your own root CA certificate and CA private
key:
whereopenssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -subj "/CN=*.<domain_name>/C=IN/L=HYD" -keyout rootCA.key -out rootCA.crt
<domain_name>
is your domain (for example,mydomain.mycorp.net
). - Create a private key to generate the certificate signing request
(CSR):
openssl genrsa -out private.key 2048
- Create the CSR configuration. Be sure to provide all required information. For
example:
csr.conf ========= [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = IN ST = TEL L = HYD O = HPE OU = QA CN = *.<domain_name> [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = *.<domain_name>
- Generate the CSR using a private key. For
example:
openssl req -new -key private.key -out server.csr -config csr.conf
- Using the root CA and CA private key, create an SSL certificate with the CSR:
- Create the
cert.conf
file. For example:cert.conf ========== basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.<domain_name>
- Generate the SSL certificate with the self-signed
CA:
You should now have the following files:openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out public.crt -days 365 -sha256 -extfile cert.conf
private.key
server.csr
rootCA.crt
rootCA.key
public.crt
- Create the
- Stop the Multithreaded Object Store Server (MOSS) service:
maprcli node services -nodes <node_name> -name s3server -action stop -json
- Use OpenSSL and the
keytool
command to add the custom certificates to thessl_userkeystore
andssl_usertruststore
so that the MOSSpublic.crt
andprivate.key
are available from these files:- Use the
openssl
command to generate thekeypair.p12
file. For the<password>
, specify a new password of your choosing:openssl pkcs12 -export -nodes -passout pass:<password> -in public.crt -inkey private.key -name moss -out keypair.p12
- Use the
keytool
command to import the key store:For this password variable . . . Use <keystore password>
The password for the ssl.server.keystore.password
key displayed in the/opt/mapr/conf/store-passwords.txt
file.<password>
The new password you specified in step 7a. keytool -importkeystore -deststorepass <keystore password> -destkeystore /opt/mapr/conf/ssl_userkeystore.p12 -srckeystore keypair.p12 -srcstorepass <password> -srcstoretype PKCS12
- When prompted to overwrite the entry, specify
yes
:Existing entry alias moss exists, overwrite? [no]: yes
- Use the
keytool
command to delete the MOSS key store:keytool -delete -noprompt -alias "moss" -keystore /opt/mapr/conf/ssl_usertruststore.p12
- When prompted for the keystore password, use the password for the
ssl.server.truststore.password
key displayed in the/opt/mapr/conf/store-passwords.txt
file:Enter keystore password:
- Use the
keytool
command to import thepublic.crt
:keytool -importcert -alias moss -file public.crt -keystore /opt/mapr/conf/ssl_usertruststore.p12
- When prompted for the keystore password, use the password for the
ssl.server.truststore.password
key displayed in the/opt/mapr/conf/store-passwords.txt
file:Enter keystore password:
- Use the
keytool
command to delete the MOSS key store. For the<truststore password>
, use the password for thessl.server.truststore.password
key displayed in the/opt/mapr/conf/store-passwords.txt
file:keytool -delete -noprompt -alias "moss" -keystore /opt/mapr/conf/ssl_usertruststore -storepass <truststore password>
- Use the following command to add the
public.crt
to the key store. For the<truststore password>
, use the password for thessl.server.truststore.password
key displayed in the/opt/mapr/conf/store-passwords.txt
file:keytool -importcert -alias moss -file public.crt -keystore /opt/mapr/conf/ssl_usertruststore -storepass <truststore password>
- When the following prompt appears, type
yes
:Trust this certificate? [no]: yes
- On all other nodes where the MOSS service is running, replace these files:
/opt/mapr/conf/ssl_usertruststore
/opt/mapr/conf/ssl_usertruststore.p12
/opt/mapr/conf/ssl_userkeystore.p12
- Restart the MOSS
service:
maprcli node services -nodes <node_name> -name s3server -action start
- Use the
- Copy the public certificate to the
/.mc/certs/CAs/
directory:cp /opt/mapr/conf/public.crt ~/.mc/certs/CAs/
- Use
mc
commands to create an alias bucket to confirm that MOSS uses the newly generated self-signed certificates. For example:- Use the following command to create a
bucket:
/opt/mapr/bin/mc mb alias/<bucket_name>
- Use the following command to copy an object to the bucket you created in step 9a. If
you are successful, the Object Store is loaded with the custom
certificates:
/opt/mapr/bin/mc cp /root/file.txt alias/<bucket_name>
- Use the following command to create a
bucket: