manageSSLKeys.sh

Use the manageSSLKeys.sh utility to create and manage SSL certificates.

Syntax

# /opt/mapr/server/manageSSLKeys.sh
manageSSLKeys.sh is a tool to create and manage the SSL certificates.
it is run once on the first node from configure.sh
Usage: manageSSLKeys and one of
       create [-d DNSDOMAIN] [-N clustername] [-k keypass] [-t trustpass] -ug <maprUserGroup>
              creates the SSL key and trust stores needed for HTTPS traffic
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -N clustername
              -k password for key store or file containing the key store password
              -t password for trust store or file containing the trust store password
              -ug MapR user/group, e.g., mapr:mapr
       createcreds [-k keypass] -t trustpass -ug <maprUserGroup>
              creates the key and trust store credential files maprkeycreds and maprtrustcreds. This
              is normally used in mixed FIPS and non-FIPS configurations in addition to the convert utility.
              -k key store password. If not specified, the key credential file will not be created
              -t trust store password for creating the trust credential file. This is required
              -ug MapR user/group, e.g., mapr:mapr. This is required
       secureconfig [-N clustername] [-ug <maprUserGroup>] [-clientonly true|false] [-k keypass] [-t trustpass]
              Completes the secure configuration process. For internal use only
              -N clustername
              -ug MapR user/group, e.g., mapr:mapr
              -clientonly <true or false>
              -keypass Key store password. If specified, this overrides the key store password in the XML files
              -trustpass Trust store password. If specified, this overrides the trust store password in the XML files
       merge <in trust store> <out trust store> <inPassword> <outPassword>
             merges the certificates from the in trust store into the existing out trust store
             All arguments are required
       copytruststore <outputFile> <password for local trust store> [password for output (if different from local)]
       copywithconfiguredpassword (deprecated in 7.0, use changepassword instead) <srcStore> <destStore> <srcPassword>
       createrandompassword (deprecated in 7.0, use changepassword instead) [oldPassword (needed to override default password)]
       changepassword [-k <oldKeyPassword>] [-kp <newKeyPassword>] [-t <oldTrustPassword>] [-tp <newTrustPassword>]
              change key password or trust password or both
              -k password for key store or file containing the key store password
              -kp new password for key store, can only be used with -k option. If -k is used without -kp,
                  a new random password will be generated for key store
              -t password for trust store or file containing the trust store password
              -tp new password for trust store, can only be used with -t option. If -t is used without -tp,
                  a new random password will be generated for trust store
              (For a client node - must use both  -t old -tp new    and no -k )
       createusercert -u <user> -ug <maprUserGroup> [ -p <truststorepw> ] [ -k <keystorepw> ] [ -a <alias> ] [ -s <sanInfo> ] [ -ips <comma seperated IPs>] [ -w ]
              add a cert for specified user to the existing ssl_user[key|trust]stores.
              -a alias name for certificate
              -p password for trust store or file containing trust store password
              -k password for key store or file containing key store password
              -s SAN info to add to certificate - like 'DNS.1 = *.mydomain'
              -u user name to create certificate for
              -ug MapR user/group, e.g., mapr:mapr
              -ips comma seperated IPs, in case the node is having NATed external IPs which is common in cloud deployment
              -w overwrite the alias name, else fails if exist. Used in regenerating the cert with external IPs
       createusercerts [-p password] [-N <clustername> ] [-d DNSDOMAIN ] -ug <maprUserGroup>
              -N <clustername>
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -p password for trust store or file containing trust store password
              -ug MapR user/group, e.g., mapr:mapr
       convert [-N <clustername> ] [-k] [-n] -p <passwd> [-srcType JKS|bcfks|pkcs12] [-dstType JKS|bcfks|pkcs12] <in key/trust store> <out key/trust store>
              converts an existing key/trust store from one store type to another. If
              the destination store type is pkcs12, this creates a new PEM type key/trust store
              if srcType and dstType are not specified, it is assumed that you are
              converting from JKS to PEM via pkcs12
              -N <clustername>
              -a denotes the certificate alias you want to convert
              -k denotes you are converting a keystore
              -n do not create a PEM type key/trust store
              -p <passwd> store password. This is required
              -srcType JKS|bcfks|pkcs12 denotes the source format of the store
              -dstType JKS|bcfks|pkcs12 denotes the destination format of the store

Operations

manageSSLKeys.sh performs the following operations:
create
Description: Creates the SSL key and trust stores needed for HTTPS traffic.
Format: create [-d DNSDOMAIN] [-N clustername] [-k keypass] [-t trustpass] -ug <maprUserGroup>
Parameters:
  • d: (Optional) DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
  • N: (Optional) Name of the cluster.
  • k: (Optional) Password for key store or file containing the key store password.
  • t: (Optional) Password for trust store or file containing the trust store password.
  • ug: (Required) User:Group to use for the key. For example: mapr:mapr.
createcreds
Description: Creates the key and trust store credential files maprkeycreds and maprtrustcreds. This command is usually used in mixed FIPS and non-FIPS configurations in addition to the convert utility.
Format: createcreds [-k keypass] -t trustpass -ug <maprUserGroup>
Parameters:
  • -k: (Optional) Key store password. If not specified, the key credential file is not created.
  • -t: (Required) Trust store password for creating the trust store credential file.
  • -ug: (Required) Cluster administrator user and group (for example, mapr:mapr).
secureconfig
Description: Completes the secure configuration process. For internal use only.
Format: secureconfig [-N clustername] [-ug <maprUserGroup>] [-clientonly true|false] [-k keypass] [-t trustpass]
Parameters:
  • -N: (Optional) Cluster name.. The default is the cluster on which this command is run.
  • -ug: (Optional) Cluster administrator user and group (for example, mapr:mapr). The default is mapr:mapr.
  • -clientonly: (Optional) true or false. This flag ensures that the script does not fail on the client only nodes where the keystores are not present. The default is false.
  • -keypass: (Optional) Key store password. If specified, this value overrides the key store password in the XML files.
  • -trustpass: (Optional) Trust store password. If specified, this value overrides the trust store password in the XML files.
merge
Description: Merges the SSL certificates from the in trust store into the existing out trust store.
Format: merge <in trust store> <out trust store> <inPassword> <outPassword>
Parameters:
  • in trust store: (Required) Source trust store from which to obtain the SSL certificates.
  • out trust store: (Required) Destination trust store to merge the SSL certificates.
  • inPassword: (Required) Password for the source trust store.
  • outPassword: (Required) Password to set for the destination trust store.
copytruststore
Description: Makes a copy of the existing trust store on the node on which you run this command.
Format: copytruststore <outputFile> <password for local trust store> [password for output (if different from local)]
Parameters:
  • outputFile: (Required) The file in which to store the copy of the trust store.
  • password for local trust store: (Required) The password of the trust store being copied.
  • password for output: (Optional) The password to set for the output file. By default, this is the same as the password for the local trust store.
copywithconfiguredpassword
ATTENTION
This command is deprecated in version 7.0. Use changepassword instead.
Description: Copies the source trust store to the destination trust store and secures the destination with the existing source trust store password..
Format: copywithconfiguredpassword <srcStore> <destStore> <srcPassword>
Parameters:
  • srcStore: (Required) Source trust store to copy.
  • destStore: (Required) Destination trust store.
  • srcPassword: (Required) The password for the source trust store.
createrandompassword
ATTENTION
This command is deprecated in version 7.0. Use changepassword instead.
Description: Creates a random trust store password.
Format: createrandompassword [oldPassword (needed to override default password)]
Parameters:
  • oldPassword: (Optional) The password to overwrite the default one (mapr123).
changepassword
Description: Changes either the key password, the trust password, or both.
Format: changepassword [-k <oldKeyPassword>] [-kp <newKeyPassword>] [-t <oldTrustPassword>] [-tp <newTrustPassword>]
Parameters:
  • -k: (Optional) Password for the key store or file containing the key store password.
  • -kp: (Optional) New password for the key store (can only be used with the -k option). If -k is used without -kp, a new random password is generated for the key store.
  • -t: (Optional) Password for the trust store or a file containing the trust store password.
  • -tp: (Optional) New password for the trust store (can only be used with the -t option). If -t is used without -tp, a new random password is generated for the trust store.
For a client node, you must use both -t (old) and -tp (new) and not -k. For more information about using changepassword, see Changing Key and Trust Store Passwords.
createusercert
Description: Adds a certificate for the specified user to the existing SSL user key or trust store.
Format: createusercert -u <user> -ug <maprUserGroup> [ -p <truststorepw> ] [ -k <keystorepw> ] [ -a <alias> ] [ -s <sanInfo> ] [ -ips <comma seperated IPs>] [ -w ]
Parameters:
  • -u: (Required) User name for which to create the certificate.
  • -ug: (Required) Cluster administrator user and group (for example, mapr:mapr).
  • -p: (Optional) Password for the trust store or a file containing the trust store password. If you omit this parameter, the command creates the trust store without password protection.
  • -k: (Optional) Password for the key store or a file containing the key store password. If you omit this parameter, the command creates the key store without password protection.
  • -a: (Optional) Alias name for the certificate.
  • -s: (Optional) SAN information to add to the certificate (for example: DNS.1=*mydomain).
  • -ips: (Optional) Comma seperated NATed external IPs, if any.
  • -w: (Optional) Overwrite the alias name, else fails if it exists. Used in regenerating the certificate with external IPs .
createusercerts
Description: Creates SSL user certificates.
Format: createusercerts [-p password] [-N <clustername> ] [-d DNSDOMAIN ] -ug <maprUserGroup>
Parameters:
  • p: (Optional) Password to use for the SSL user certificate.
  • N: (Optional) Name of the cluster. The default is the cluster on which this command is run.
  • d: (Optional) DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
  • ug: (Required) User:Group to use for the certificate. For example: mapr:mapr.
convert
Description: Converts an existing key/trust store into a new PEM type key/trust store. If you do not specify the type of the source and the destination key/trust store, it is assumed that you are converting from JKS to PEM (via pkcs12).
Format: convert [-N <clustername> ] [-k] [-n] -p <passwd> [-srcType JKS|bcfks|pkcs12] [-dstType JKS|bcfks|pkcs12] <in key/trust store> <out key/trust store>
Parameters:
  • N: (Optional) Cluster name. The default is the cluster on which this command is run.
  • k: (Optional) Indicates that a keystore is being converted.
  • n: (Optional) Do not create a PEM type key/trust store.
  • p: (Required) Password of the existing key/trust store.
  • srcType: (Optional) Format of the source key/trust store - one of JKS or bcfks or pkcs12. The default keystore for a non-FIPS cluster is JKS, while the default for a FIPS cluster is bcfks.
  • dstType: (Optional) Format of the destination key/trust store - either JKS or bcfks or pkcs12. The default keystore for a non-FIPS cluster is JKS, while the default for a FIPS cluster is bcfks.
  • in key/trust store: (Required) The existing key/trust store to convert.
  • out key/trust store: (Required) The name to use for the converted key/trust store.

Examples

The following links demonstrate using the manageSSLKeys.sh utility.