Enabling Security on a New Cluster Installation
Describes how to enable security for the cluster, platform, ecosystem components, and network-based connections.
About this task
- Security for the cluster nodes
- Wire-level encryption for the platform and ecosystem components
- Authentication for all network-based connections
- (Optional) Data-at-rest encryption on the cluster
These steps DO NOT enable security for client nodes. For client-installation information, see Setting Up Clients and Services.
Enabling Security When All Nodes Are Non-FIPS
About this task
Use these steps to enable security for a cluster in which all nodes are non-FIPS-enabled nodes:
Procedure
- If the cluster is running, shut it down.
-
If you are re-running the
configure.sh
script because of an invocation error from a previous run, remove the following files from${MAPR_HOME}/conf
(if they are present) if you want to re-generate the CLDB key, server ticket, and certificates:- All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
maprkeycreds.jceks
maprtrustcreds.jceks
ssl_keystore, ssl_keystore.p12
ssl_truststore, ssl_truststore.p12
ssl_userkeystore
ssl_usertruststore
- All other files in
${MAPR_HOME}/conf
that are generated and configured on the first CLDB node:- All PEM files:
ssl_keystore-signed.pem
andssl_userkeystore-signed.pem
- All files in the
${MAPR_HOME}/conf/tokens
directory maprserverticket
mapruserticket
- The
store-passwords.txt
file containing the clear-text passwords, if not already removed
- All PEM files:
cd /opt/mapr/conf rm -rf ssl_* *.bcfks *.jceks tokens store-passwords.txt maprserverticket mapruserticket ssl-client.xml ssl-server.xml
WARNINGThe DARE master key is generated in thetokens/
directory only if data at rest encryption is enabled on the cluster using the-dare
option withconfigure.sh
. Deleting the tokens directory is only intended for new installs to re-attempt an initial configuration. If the cluster is already running with DARE enabled, deleting the tokens directory results in a complete cluster loss. - All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
-
Run the
configure.sh
script with the-secure -genkeys -dare
options on the first CLDB node in your cluster:/opt/mapr/server/configure.sh -secure -dare -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>
where both<Zookeeper_node_list>
and<CLDB_node_list>
have the formhostname[:port_no][,hostname[:port_no]...] and -N <cluster_name>
specifies the cluster name. For the hostname, specify an FQDN as described in Connectivity. Do not specify an alias or IP address. The-dare
option is required only if you wish to enable data-at-rest encryption at the cluster-level.IMPORTANTYou must not run configure.sh with the -genkeys option on any other node after running it with the -genkeys option on the first CLDB node. The files must be generated only once on the first CLDB node by running configure.sh with the -genkeys option, and then copied to other nodes in the cluster.TIPFor a comprehensive listing of the Trust and Key Store files, see Understanding the Key Store and Trust Store Files. -
Copy files to the destination nodes as follows:
- If your cluster consists of all secure non-FIPS-enabled nodes, use
the following table as a guide to copy files to the destination
nodes which are the nodes where the
-genkeys
option is not used to generate keys.
1If you are running Data Fabric 7.0.0.5 or later, theDestination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper Nodes conf/maprhsm.conf
conf/maprkeycreds.conf
conf/maprkeycreds.jceks
conf/maprserverticket
conf/maprtrustcreds.conf
conf/maprtrustcreds.jceks
conf/private.key
1conf/public.crt
1conf/ssl_keystore
conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_keystore-signed.pem
conf/ssl_truststore
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/ssl_userkeystore
conf/ssl_userkeystore.p12
conf/ssl_userkeystore.pem
conf/ssl_userkeystore-signed.pem
conf/ssl_usertruststore
conf/ssl_usertruststore.p12
conf/ssl_usertruststore.pem
conf/tokens
(use a command such asscp -r
to copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/maprhsm.conf
conf/maprkeycreds.conf
conf/maprkeycreds.jceks
conf/maprserverticket
conf/maprtrustcreds.conf
conf/maprtrustcreds.jceks
conf/private.key
1conf/public.crt
1conf/ssl_keystore
conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_keystore-signed.pem
conf/ssl_truststore
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/ssl_userkeystore
conf/ssl_userkeystore.p12
conf/ssl_userkeystore.pem
conf/ssl_userkeystore-signed.pem
conf/ssl_usertruststore
conf/ssl_usertruststore.p12
conf/ssl_usertruststore.pem
private.key
andpublic.crt
are not present and do not need to be copied to all other nodes. On Data Fabric 7.0.0.5, the/opt/mapr/conf/ssl_usertruststore
performs this function and is present on all nodes.
- If your cluster consists of all secure non-FIPS-enabled nodes, use
the following table as a guide to copy files to the destination
nodes which are the nodes where the
-
Run
configure.sh
on each existing node in the cluster using the same arguments as in Step 3 but without the-genkeys
option.
The/opt/mapr/server/configure.sh -secure -dare -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>
-secure
option indicates that security must be enabled on the node where the command is run. The-dare
option indicates that data at rest encryption must be enabled on the node and must be specified only if it was specified in Step 3.IMPORTANT- You must also do this on any nodes that you add to the cluster in the future.
- If you run
configure.sh -secure
on a node before you copy the necessary files to that node, the command fails.
- Optionally, enable encrypted quorum ZooKeeper communication. See zoo.cfg for more information.
Enabling Security When All Nodes Are FIPS
About this task
Use these steps to enable security for a cluster in which all nodes are FIPS-enabled:
Procedure
- If the cluster is running, shut it down.
-
If you are re-running the
configure.sh
script because of an invocation error from a previous run, remove the following files from${MAPR_HOME}/conf
(if they are present) if you want to re-generate the CLDB key, server ticket, and certificates:- All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
maprkeycreds.bcfks
maprtrustcreds.bcfks
ssl_keystore (symlink), ssl_keystore.bcfks
ssl_truststore (symlink), ssl_truststore.bcfks
ssl_userkeystore (symlink), ssl_userkeystore.bcfks
ssl_usertruststore (symlink), ssl_usertruststore.bcfks
- All other files in
${MAPR_HOME}/conf
that are generated and configured on the first CLDB node:- All PEM files:
ssl_keystore-signed.pem
andssl_userkeystore-signed.pem
- All files in the
${MAPR_HOME}/conf/tokens
directory maprserverticket
mapruserticket
- The
store-passwords.txt
file containing the clear-text passwords, if not already removed
- All PEM files:
cd /opt/mapr/conf rm -rf ssl_* *.bcfks *.jceks tokens store-passwords.txt maprserverticket mapruserticket ssl-client.xml ssl-server.xml
- All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
-
Run the
configure.sh
script with the-secure -genkeys -dare
options on the first CLDB node in your cluster:/opt/mapr/server/configure.sh -secure -dare -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>
where both<Zookeeper_node_list>
and<CLDB_node_list>
have the formhostname[:port_no][,hostname[:port_no]...] and -N <cluster_name>
specifies the cluster name. For the hostname, specify an FQDN as described in Connectivity. Do not specify an alias or IP address. The-dare
option is required only if you wish to enable data at rest encryption at the cluster-level.IMPORTANTYou must runconfigure.sh
with the-genkeys
option only once on one CLDB node, since the resulting files should be generated only once and then copied to other nodes.NOTEThe DARE master key is generated in thetokens/
directory only if data at rest encryption is enabled on the cluster using the-dare
option withconfigure.sh
.TIPFor a comprehensive listing of the Trust and Key Store files, see Understanding the Key Store and Trust Store Files. -
Copy files to the destination nodes as follows:
- If your cluster consists of all FIPS-enabled nodes, use the
following table as a guide to copy files to the destination nodes
(the nodes where the
-genkeys
option is not used to generate keys):Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper Nodes conf/maprhsm.conf
conf/maprkeycreds.bcfks
conf/maprkeycreds.conf
conf/maprserverticket
conf/maprtrustcreds.bcfks
conf/maprtrustcreds.conf
conf/private.key
2conf/public.crt
2conf/ssl_keystore.bcfks
1conf/ssl_keystore-signed.pem
1conf/ssl_keystore.p12
1conf/ssl_keystore.pem
1conf/ssl_truststore.bcfks
1conf/ssl_truststore.p12
1conf/ssl_truststore.pem
1conf/ssl_userkeystore.bcfks
1conf/ssl_userkeystore.pem
1conf/ssl_userkeystore-signed.pem
1conf/ssl_usertruststore.bcfks
1conf/ssl_usertruststore.pem
1conf/tokens
(usescp -r
to copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/maprhsm.conf
conf/maprkeycreds.bcfks
conf/maprkeycreds.conf
conf/maprserverticket
conf/maprtrustcreds.bcfks
conf/maprtrustcreds.conf
conf/private.key
2conf/public.crt
2conf/ssl_keystore.bcfks
1conf/ssl_keystore.p12
1conf/ssl_keystore.pem
1conf/ssl_keystore-signed.pem
1conf/ssl_truststore.bcfks
1conf/ssl_truststore.p12
1conf/ssl_truststore.pem
1conf/ssl_userkeystore.bcfks
1conf/ssl_userkeystore.p12
1conf/ssl_userkeystore.pem
1conf/ssl_userkeystore-signed.pem
1conf/ssl_usertruststore.bcfks
1conf/ssl_usertruststore.p12
1conf/ssl_usertruststore.pem
1
1Do NOT copy thessl_
symlink files contained in theconf/
directory. The symlinks are:ssl_keystore
(symlink)ssl_truststore
(symlink)ssl_userkeystore
(symlink)ssl_usertruststore
(symlink)
2If you are running Data Fabric 7.0.0.5 or later, the
private.key
andpublic.crt
are not present and do not need to be copied to all other nodes. On Data Fabric 7.0.0.5, the/opt/mapr/conf/ssl_usertruststore
performs this function and is present on all nodes.
- If your cluster consists of all FIPS-enabled nodes, use the
following table as a guide to copy files to the destination nodes
(the nodes where the
-
Run
configure.sh
on each existing node in the cluster using the same arguments as in Step 3 but without the-genkeys
option.
The/opt/mapr/server/configure.sh -secure -dare -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>
-secure
option indicates that security must be enabled on the node where the command is run. The-dare
option indicates that data at rest encryption must be enabled on the node and must be specified only if it was specified in Step 3.IMPORTANT- You must also do this on any nodes that you add to the cluster in the future.
- If you run
configure.sh -secure
on a node before you copy the necessary files to that node, the command fails.
- Optionally, enable encrypted quorum ZooKeeper communication. See zoo.cfg for more information.
Enabling Security for a Mix of FIPS and Secure Non-FIPS Nodes
About this task
A mixed cluster is a cluster consisting of both FIPS-enabled and secure non-FIPS enabled nodes. Since the key and trust store formats are different between FIPS-enabled and secure non-FIPS enabled nodes, the BCFKS stores from FIPS-enabled nodes cannot be copied directly to secure non-FIPS enabled nodes, or vice versa. The Hadoop Credential stores also cannot be copied between FIPS-enabled and secure non-FIPS enabled nodes.
- Generate the key and trust store, and user key and trust stores if
required, on the secure non-FIPS node using the new
${MAPR_HOME}/server/manageSSLKeys.sh convert
utility:- After adding a FIPS-enabled node to a cluster consisting of only
non-FIPS enabled nodes, generate the BCFKS key and trust stores
on the non-FIPS enabled node. Copy them to the
${MAPR_HOME}/conf
directory of the FIPS-enabled node before runningconfigure.sh
. - After adding a secure non-FIPS enabled node to a cluster consisting of only FIPS-enabled nodes, copy the BCFKS key and trust stores from the FIPS-enabled node to a temporary location in the secure non-FIPS enabled node. Generate the JKS key and trust store on the secure non-FIPS enabled node.
- After adding a FIPS-enabled node to a cluster consisting of only
non-FIPS enabled nodes, generate the BCFKS key and trust stores
on the non-FIPS enabled node. Copy them to the
- Run the
configure.sh
with the-storepasswds
option on the node being configured to generate the credential stores.
Enabling Security for the First CLDB Node
About this task
-secure
flag is not specified to the
configure.sh
script.Procedure
- If the cluster is running, shut it down.
-
If you are re-running the
configure.sh
script because of an invocation error from a previous run, remove the following files from${MAPR_HOME}/conf
(if they are present) if you want to re-generate the CLDB key, server ticket, and certificates:- All key and trust stores. The files differ depending on whether
the node is FIPS enabled. FIPS-enabled nodes use BCFKS key and
trust stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key
and trust stores:
FIPS Secure Non-FIPS maprkeycreds.bcfks
maprkeycreds.jceks
maprtrustcreds.bcfks
maprtrustcreds.jceks
ssl_keystore (symlink), ssl_keystore.bcfks
ssl_keystore, ssl_keystore.p12
ssl_truststore (symlink), ssl_truststore.bcfks
ssl_truststore, ssl_truststore.p12
ssl_userkeystore (symlink), ssl_userkeystore.bcfks
ssl_userkeystore
ssl_usertruststore (symlink), ssl_usertruststore.bcfks
ssl_usertruststore
- All other files in
${MAPR_HOME}/conf
that are generated and configured on the first CLDB node:- All PEM files:
ssl_keystore-signed.pem
andssl_userkeystore-signed.pem
- All files in the
${MAPR_HOME}/conf/tokens
directory maprserverticket
mapruserticket
- The
store-passwords.txt
file containing the clear-text passwords, if not already removed
- All PEM files:
cd /opt/mapr/conf rm -rf ssl_* *.bcfks *.jceks tokens store-passwords.txt maprserverticket mapruserticket ssl-client.xml ssl-server.xml
- All key and trust stores. The files differ depending on whether
the node is FIPS enabled. FIPS-enabled nodes use BCFKS key and
trust stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key
and trust stores:
-
Run the
configure.sh
script with the-secure -genkeys -dare
options on the first CLDB node in your cluster:/opt/mapr/server/configure.sh -secure -dare -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>
where both<Zookeeper_node_list>
and<CLDB_node_list>
have the formhostname[:port_no][,hostname[:port_no]...] and -N <cluster_name>
specifies the cluster name. For the hostname, specify an FQDN as described in Connectivity. Do not specify an alias or IP address. The-dare
option is required only if you wish to enable data at rest encryption at the cluster-level.IMPORTANTYou must runconfigure.sh
with the-genkeys
option only once on one CLDB node, since the resulting files should be generated only once and then copied to other nodes.NOTEThe DARE master key is generated in thetokens/
directory only if data at rest encryption is enabled on the cluster using the-dare
option withconfigure.sh
.
Enabling Security for Additional Cluster Nodes
About this task
configure.sh
without the -genkeys
option after copying the required files to the node. For a mixed
configuration, first create the key and trust stores on the secure non-FIPS
node using the ${MAPR_HOME}/server/manageSSLKeys.sh convert
utility. Then copy these stores to the key and trust stores of the
additional cluster node: - If you are connecting an additional secure non-FIPS cluster node to
the first FIPS-enabled cluster node, copy the
ssl_keystore.bcfks
andssl_truststore.bcfks
from the${MAPR_HOME}/conf
directory of the first FIPS-enabled cluster node to the node being configured. Then run themanageSSLKeys.sh convert
utility from the secure non-FIPS node. Copy the converted JKS key and trust stores to the additional secure non-FIPS cluster node (or simply specify the destination key/trust store as${MAPR_HOME}/conf/ssl_keystore
and${MAPR_HOME}/conf/ssl_truststore
respectively in the${MAPR_HOME}/server/manageSSLKeys.sh convert
utility). - If you are connecting an additional FIPS-enabled cluster node to the
first secure non-FIPS cluster node, copy the JKS
ssl_keystore
andssl_truststore
from the${MAPR_HOME}/conf
directory of the first secure non-FIPS cluster node to a temporary directory of the first node. Then run themanageSSLKeys.sh convert
utility from the first secure non-FIPS node. Copy the converted BCFKS key and trust stores to the${MAPR_HOME}/conf
directory of the additional FIPS-enabled cluster node.
Adding a FIPS-Enabled Server to a FIPS Cluster
About this task
To connect a FIPS-enabled server to a cluster consisting of at least one FIPS-enabled node.
Procedure
-
Copy the following files from the existing FIPS-enabled server to the
new FIPS server:
Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper nodes conf/ssl_keystore.bcfks
conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_truststore.bcfks
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/maprkeycreds.bcfks
conf/maprkeycreds.conf
conf/maprtrustcreds.bcfks
conf/maprtrustcreds.conf
conf/maprhsm.conf
conf/maprhsm.conf
conf/maprserverticket
conf/tokens
(usescp -r
to copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/ssl_keystore.bcfks
conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_truststore.bcfks
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/maprkeycreeds.bcfks
conf/maprkeycreds.conf
conf/maprtrustcreds.bcfks
conf/maprtrustcreds.conf
conf/maprhsm.conf
conf/maprserverticket
-
conf/ca
(use a command such asscp -r
to copy everything in this folder)
CAUTIONDo NOT copyconf/ssl_keystore
andconf/ssl_truststore
. These are symbolic links tossl_keystore.bcfks
andssl_truststore.bcfks
, which will be generated by configure.sh.CAUTIONWhen adding a non-FIPS node to a FIPS cluster, DO NOT copy the Hadoopssl*.xml
files to the other cluster nodes. ThemanageSSLKeys.sh
script (invoked byconfigure.sh
) uses the store type to determine if FIPS is enabled and assumes the system is FIPS-enabled if the store type is BCFKS. Copying the Hadoopssl*
files that are set to the BCFKS store type from a FIPS node to a non-FIPS node causes theconfigure.sh
script to fail. -
Run
configure.sh
without the-genkeys
option. For example, if the cluster name isfips0.cluster.com
and the CLDB and ZooKeeper nodes are atm2-mapreng-vm166250
, then the command is:/opt/mapr/server/configure.sh -secure -N fips0.cluster.com \ -C m2-mapreng-vm166250:7222
Adding a Secure Non-FIPS Server to a FIPS Cluster
About this task
Non-FIPS enabled nodes do not support the BCFKS trust store format. Copying the BCFKS trust store from a FIPS-enabled server to the non-FIPS enabled server that is being added will not work. Create the JKS trust store on the non-FIPS server by importing the same keys and certificates that are in the BCFKS key and trust stores on the existing FIPS-enabled server host. Different configuration procedures apply depending on whether you are configuring for the first cluster or for subsequent clusters.
Procedure
-
Copy the following files from an existing FIPS-enabled node in the
cluster to the new non-FIPS node being added:
Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper nodes conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/maprkeycreds.conf
conf/maprtrustcreds.conf
conf/maprhsm.conf
conf/maprserverticket
conf/tokens
(usescp -r
to copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/maprkeycreds.conf
conf/maprtrustcreds.conf
conf/maprhsm.conf
conf/maprserverticket
-
conf/ca
(use a command such asscp -r
to copy everything in this folder)
CAUTIONWhen adding a non-FIPS node to a FIPS cluster, DO NOT copy the Hadoopssl*.xml
files to the other cluster nodes. ThemanageSSLKeys.sh
script (invoked byconfigure.sh
) uses the store type to determine if FIPS is enabled and assumes the system is FIPS-enabled if the store type is BCFKS. Copying the Hadoopssl*
files that are set to the BCFKS store type from a FIPS node to a non-FIPS node causes theconfigure.sh
script to fail. -
Copy the following key store, trust store, userkey store, and usertrust
store files from the FIPS-enabled server to a temporary directory of the
secure non-FIPS enabled server being added:
${MAPR_HOME}/conf/ssl_keystore.bcfks
${MAPR_HOME}/conf/ssl_truststore.bcfks
${MAPR_HOME}/conf/ssl_userkeystore.bcfks
${MAPR_HOME}/conf/ssl_usertruststore.bcfks
-
Run the
manageSSLKeys.sh convert
utility to convert the key and trust store (and userkey and usertruststore) from BCFKS format to JKS format. The destination key and trust store will be set to the same password as the source key/trust store. You can obtain the key and trust store passwords from thestore-passwords.txt
file. For example:# /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /tmp/ssl_keystore.bcfks /opt/mapr/conf/ssl_keystore # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /tmp/ssl_truststore.bcfks /opt/mapr/conf/ssl_truststore # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /tmp/ssl_userkeystore.bcfks /opt/mapr/conf/ssl_userkeystore # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /tmp/ssl_usertruststore.bcfks /opt/mapr/conf/ssl_usertruststore
-
Run the
configure.sh
script without the-genkeys
option on the secure non-FIPS enabled server being added, using the-storepasswds
option to specify the key and trust store passwords. Since the converted key and trust stores are set to the same password as the source, the passwords must be the same as the passwords you specified using the-p
option in step 3. For example:# /opt/mapr/server/configure.sh -secure \ -N hpe186.cluster.com \ -C m2-mapreng-vm167186:7222 \ -Z m2-mapreng-vm167186:5181 \ -storepasswds \ VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC:1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA
Adding a FIPS Server to a Secure Non-FIPS Cluster
About this task
Use the following steps to connect a FIPS-enabled server to a cluster consisting of only secure non-FIPS enabled nodes:,
Procedure
-
Copy the following files from an existing secure non-FIPS node in the
cluster to the FIPS-enabled server being added:
Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper nodes conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/maprkeycreds.conf
conf/maprtrustcreds.conf
conf/maprhsm.conf
conf/maprserverticket
conf/tokens
(usescp -r
to copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/ssl_keystore.p12
conf/ssl_keystore.pem
conf/ssl_truststore.p12
conf/ssl_truststore.pem
conf/maprkeycreds.conf
conf/maprtrustcreds.conf
conf/maprhsm.conf
conf/maprserverticket
conf/ca
(use a command such asscp -r
to copy everything in this folder)
CAUTIONWhen adding a non-FIPS node to a FIPS cluster, DO NOT copy the Hadoopssl*.xml
files to the other cluster nodes. ThemanageSSLKeys.sh
script (invoked byconfigure.sh
) uses the store type to determine if FIPS is enabled and assumes the system is FIPS-enabled if the store type is BCFKS. Copying the Hadoopssl*
files that are set to the BCFKS store type from a FIPS node to a non-FIPS node causes theconfigure.sh
script to fail. -
On the secure non-FIPS enabled server in the existing cluster, run the
manageSSLKeys.sh convert
utility to convert the key and trust store (and userkey and usertruststore) from JKS to BCFKS format. You can obtain the key and trust store passwords from thestore-passwords.txt
file. For example:# /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /opt/mapr/conf/ssl_keystore /tmp/ssl_keystore.bcfks # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /opt/mapr/conf/ssl_truststore /tmp/ssl_truststore.bcfks # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /opt/mapr/conf/ssl_userkeystore /tmp/ssl_userkeystore.bcfks # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /opt/mapr/conf/ssl_usertruststore /tmp/ssl_usertruststore.bcfks
-
Copy the converted
.bcfks
files from the secure non-FIPS server to the FIPS server being added as follows:Copy this converted file . . . To this location on the FIPS server . . . ssl_keystore.bcfks
/opt/mapr/conf/ssl_keystore.bcfks
ssl_userkeystore.bcfks
/opt/mapr/conf/ssl_userkeystore.bcfks
ssl_truststore.bcfks
/opt/mapr/conf/ssl_truststore.bcfks
ssl_usertruststore.bcfks
/opt/mapr/conf/ssl_usertruststore.bcfks
-
Run
configure.sh
without the-genkeys
option on the FIPS enabled server being added, using the-storepasswds
option to specify the key and trust store passwords. Since the converted BCFKS key and trust store is set to the same password as the source, the passwords must be the same as the passwords specified using the-p
option in step 2. For example:/opt/mapr/server/configure.sh -secure \ -N hpe186.cluster.com \ -C m2-mapreng-vm167186:7222 \ -Z m2-mapreng-vm167186:5181 \ -storepasswds \ VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC:1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA