manageSSLKeys.sh
Use the manageSSLKeys.sh
utility to create and manage SSL
certificates.
Syntax
# /opt/mapr/server/manageSSLKeys.sh
manageSSLKeys.sh is a tool to create and manage the SSL certificates.
it is run once on the first node from configure.sh
Usage: manageSSLKeys and one of
create [-d DNSDOMAIN] [-N clustername] [-k keypass] [-t trustpass] -ug <maprUserGroup>
creates the SSL key and trust stores needed for HTTPS traffic
-d specifies DNS domain used in wildcard certificate. Default
is detected from Local OS
-N clustername
-k password for key store or file containing the key store password
-t password for trust store or file containing the trust store password
-ug MapR user/group, e.g., mapr:mapr
createcreds [-k keypass] -t trustpass -ug <maprUserGroup>
creates the key and trust store credential files maprkeycreds and maprtrustcreds. This
is normally used in mixed FIPS and non-FIPS configurations in addition to the convert utility.
-k key store password. If not specified, the key credential file will not be created
-t trust store password for creating the trust credential file. This is required
-ug MapR user/group, e.g., mapr:mapr. This is required
secureconfig [-N clustername] [-ug <maprUserGroup>] [-clientonly true|false] [-k keypass] [-t trustpass]
Completes the secure configuration process. For internal use only
-N clustername
-ug MapR user/group, e.g., mapr:mapr
-clientonly <true or false>
-keypass Key store password. If specified, this overrides the key store password in the XML files
-trustpass Trust store password. If specified, this overrides the trust store password in the XML files
merge <in trust store> <out trust store> <inPassword> <outPassword>
merges the certificates from the in trust store into the existing out trust store
All arguments are required
copytruststore <outputFile> <password for local trust store> [password for output (if different from local)]
copywithconfiguredpassword (deprecated in 7.0, use changepassword instead) <srcStore> <destStore> <srcPassword>
createrandompassword (deprecated in 7.0, use changepassword instead) [oldPassword (needed to override default password)]
changepassword [-k <oldKeyPassword>] [-kp <newKeyPassword>] [-t <oldTrustPassword>] [-tp <newTrustPassword>]
change key password or trust password or both
-k password for key store or file containing the key store password
-kp new password for key store, can only be used with -k option. If -k is used without -kp,
a new random password will be generated for key store
-t password for trust store or file containing the trust store password
-tp new password for trust store, can only be used with -t option. If -t is used without -tp,
a new random password will be generated for trust store
(For a client node - must use both -t old -tp new and no -k )
createusercert -u <user> -ug <maprUserGroup> [ -p <truststorepw> ] [ -k <keystorepw> ] [ -a <alias> ] [ -s <sanInfo> ] [ -ips <comma seperated IPs>] [ -w ]
add a cert for specified user to the existing ssl_user[key|trust]stores.
-a alias name for certificate
-p password for trust store or file containing trust store password
-k password for key store or file containing key store password
-s SAN info to add to certificate - like 'DNS.1 = *.mydomain'
-u user name to create certificate for
-ug MapR user/group, e.g., mapr:mapr
-ips comma seperated IPs, in case the node is having NATed external IPs which is common in cloud deployment
-w overwrite the alias name, else fails if exist. Used in regenerating the cert with external IPs
createusercerts [-p password] [-N <clustername> ] [-d DNSDOMAIN ] -ug <maprUserGroup>
-N <clustername>
-d specifies DNS domain used in wildcard certificate. Default
is detected from Local OS
-p password for trust store or file containing trust store password
-ug MapR user/group, e.g., mapr:mapr
convert [-N <clustername> ] [-k] [-n] -p <passwd> [-srcType JKS|bcfks|pkcs12] [-dstType JKS|bcfks|pkcs12] <in key/trust store> <out key/trust store>
converts an existing key/trust store from one store type to another. If
the destination store type is pkcs12, this creates a new PEM type key/trust store
if srcType and dstType are not specified, it is assumed that you are
converting from JKS to PEM via pkcs12
-N <clustername>
-a denotes the certificate alias you want to convert
-k denotes you are converting a keystore
-n do not create a PEM type key/trust store
-p <passwd> store password. This is required
-srcType JKS|bcfks|pkcs12 denotes the source format of the store
-dstType JKS|bcfks|pkcs12 denotes the destination format of the store
Operations
manageSSLKeys.sh
performs the following operations:- create
- Description: Creates the SSL key and trust stores needed for HTTPS traffic.
- createcreds
- Description: Creates the key and trust store credential files
maprkeycreds
andmaprtrustcreds
. This command is usually used in mixed FIPS and non-FIPS configurations in addition to theconvert
utility. - secureconfig
- Description: Completes the secure configuration process. For internal use only.
- merge
- Description: Merges the SSL certificates from the in trust store into the existing out trust store.
- copytruststore
- Description: Makes a copy of the existing trust store on the node on which you run this command.
- copywithconfiguredpassword
- Description: Copies the source trust store to the destination trust store and secures the destination with the existing source trust store password..ATTENTIONThis command is deprecated in version 7.0. Use
changepassword
instead. - createrandompassword
- Description: Creates a random trust store password.ATTENTIONThis command is deprecated in version 7.0. Use
changepassword
instead. - changepassword
- Description: Changes either the key password, the trust password, or both.
- createusercert
- Description: Adds a certificate for the specified user to the existing SSL user key or trust store.
- createusercerts
- Description: Creates SSL user certificates.
- convert
- Description: Converts an existing key/trust store into a new PEM type
key/trust store. If you do not specify the type of the source and the destination
key/trust store, it is assumed that you are converting from JKS to PEM (via
pkcs12
).
Examples
The following links demonstrate using the manageSSLKeys.sh
utility.
- Change password: Changing Key and Trust Store Passwords
- Copy trust store: Enabling Security on a Configured Cluster
- Create user cert: Step 1: Restart and Check Cluster Services
- Regenerate trust store password: Enabling Security on a Configured Cluster
- Merge trust store: Configuring Secure Clusters for Running Commands Remotely
- Generate trust store and key store files: Step 1: Restart and Check Cluster Services and Configuring Encryption for ODBC Connection
- Convert type of keystore file: Upgrading the Data Access Gateway