Using Custom Signed Certificates with Object Store

Describes how to run the HPE Ezmeral Data Fabric Object Store using custom certificates rather than the default self-signed certificates provided during installation.

Default installations of the HPE Ezmeral Data Fabric use encrypted, self-signed certificates to enable SSL communication. For example, the following certificates are created and self-signed by the manageSSLKeys.sh tool:
Certificate File Store Location*
public.crt /opt/mapr/conf/ssl_usertruststore.p12
private.key /opt/mapr/conf/ssl_userkeystore.p12
*With Data Fabric 7.0.0.5 and later, the public.crt and private.key are no longer available, but the self-signed certificates are created if your installation needs them.

If your environment does not permit self-signed certificates, or if you prefer to generate your own certificates rather than use the default certificates, you must use one of the following options.

Alternatives to Using the HPE-Provided Certificates

If you do not want to use the default self-signed certificates, you have two options:

  • Option 1: Obtain a public certificate and private key from a well-known certificate authority, such as Verisign or Comodo. Then replace the default public.crt and private.key files with the new public certificate and private key. If you choose Option 1, you must perform only steps 6 and later in the following procedures
  • Option 2: Generate your own self-signed certificates to replace the public.crt and private.key files provided in the default installation. If you choose Option 2, perform all steps in the following procedure.
IMPORTANT
This procedure is valid only for clusters running Data Fabric 7.0.0.5 or later.

Generating Your Own Self-Signed Certificates

Use this procedure to generate your own self-signed certificates if your installation has Data Fabric 7.0.0.5 or later:
  1. Use the OpenSSL utility to create your own root CA certificate and CA private key:
    openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -subj "/CN=*.<domain_name>/C=IN/L=HYD" -keyout rootCA.key -out rootCA.crt
    where <domain_name> is your domain (for example, mydomain.mycorp.net).
  2. Create a private key to generate the certificate signing request (CSR):
    openssl genrsa -out private.key 2048
  3. Create the CSR configuration. Be sure to provide all required information. For example:
    csr.conf
=========
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = IN
ST = TEL
L = HYD
O = HPE
OU = QA
CN = *.<domain_name>
[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.<domain_name>
  4. Generate the CSR using a private key. For example:
    openssl req -new -key private.key -out server.csr -config csr.conf
  5. Using the root CA and CA private key, create an SSL certificate with the CSR:
    1. Create the cert.conf file. For example:
      cert.conf
==========
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.<domain_name>
    2. Generate the SSL certificate with the self-signed CA:
      openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out public.crt -days 365 -sha256 -extfile cert.conf
      You should now have the following files:
      • private.key
      • server.csr
      • rootCA.crt
      • rootCA.key
      • public.crt
  6. Stop the Multithreaded Object Store Server (MOSS) service: 
    maprcli node services -nodes <node_name> -name s3server -action stop -json
  7. Use OpenSSL and the keytool command to add the custom certificates to the ssl_userkeystore and ssl_usertruststore so that the MOSS public.crt and private.key are available from these files:
    1. Use the openssl command to generate the keypair.p12 file. For the <password>, specify a new password of your choosing:
      openssl pkcs12 -export -nodes -passout pass:<password> -in public.crt -inkey private.key -name moss -out keypair.p12
    2. Use the keytool command to import the key store:
      For this password variable . . . Use
      <keystore password> The password for the ssl.server.keystore.password key displayed in the /opt/mapr/conf/store-passwords.txt file.
      <password> The new password you specified in step 7a. 
      keytool -importkeystore -deststorepass <keystore password> -destkeystore /opt/mapr/conf/ssl_userkeystore.p12 -srckeystore keypair.p12 -srcstorepass <password> -srcstoretype PKCS12
    3. When prompted to overwrite the entry, specify yes:
      Existing entry alias moss exists, overwrite? [no]: yes
    4. Use the keytool command to delete the MOSS key store:
      keytool -delete -noprompt -alias "moss" -keystore /opt/mapr/conf/ssl_usertruststore.p12
    5. When prompted for the keystore password, use the password for the ssl.server.truststore.password key displayed in the /opt/mapr/conf/store-passwords.txt file:
      Enter keystore password:
    6. Use the keytool command to import the public.crt: 
      keytool -importcert -alias moss -file public.crt -keystore /opt/mapr/conf/ssl_usertruststore.p12
    7. When prompted for the keystore password, use the password for the ssl.server.truststore.password key displayed in the /opt/mapr/conf/store-passwords.txt file:
      Enter keystore password:
    8. Use the keytool command to delete the MOSS key store. For the <truststore password>, use the password for the ssl.server.truststore.password key displayed in the /opt/mapr/conf/store-passwords.txt file: 
      keytool -delete -noprompt -alias "moss" -keystore /opt/mapr/conf/ssl_usertruststore -storepass <truststore password>
    9. Use the following command to add the public.crt to the key store. For the <truststore password>, use the password for the ssl.server.truststore.password key displayed in the /opt/mapr/conf/store-passwords.txt file:
      keytool -importcert -alias moss -file public.crt -keystore /opt/mapr/conf/ssl_usertruststore -storepass <truststore password>
    10. When the following prompt appears, type yes:
      Trust this certificate? [no]: yes
    11. On all other nodes where the MOSS service is running, replace these files:
      • /opt/mapr/conf/ssl_usertruststore
      • /opt/mapr/conf/ssl_usertruststore.p12
      • /opt/mapr/conf/ssl_userkeystore.p12
    12. Restart the MOSS service:
      maprcli node services -nodes <node_name> -name s3server -action start
  8. Copy the public certificate to the /.mc/certs/CAs/ directory:
    cp /opt/mapr/conf/public.crt ~/.mc/certs/CAs/
  9. Use mc commands to create an alias bucket to confirm that MOSS uses the newly generated self-signed certificates. For example:
    1. Use the following command to create a bucket:
      /opt/mapr/bin/mc mb alias/<bucket_name>
    2. Use the following command to copy an object to the bucket you created in step 9a. If you are successful, the Object Store is loaded with the custom certificates:
      /opt/mapr/bin/mc cp /root/file.txt alias/<bucket_name>