Understanding the Key Store and Trust Store Files

Provides a comprehensive listing of the key store and trust store files.

Key Stores and Trust Stores Added for Release 7.0.0

Release 7.0.0 added the following key store and trust store files to support FIPS compliance. For Java applications, the Bouncy Castle BCFKS key and trust stores are used. This is new for release 7.0.0. For non-Java applications, the existing PKCS#12 key and trust stores, as well as PEM files are used.

As part of Enabling Security on a Configured Cluster, you must copy the key and trust stores, as well as the associated key and trust store credentials, from the /opt/mapr/conf directory of the first CLDB node to the /opt/mapr/conf directory on all other server nodes. For client-only nodes, only copy the trust stores and the associated trust store credentials.
maprkeycreds.bcfks
Location: /opt/mapr/conf
Description: On FIPS-enabled nodes, the encrypted key store that contains passwords used to access the ssl_keystore and ssl_userkeystore.
maprkeycreds.jceks
Location: /opt/mapr/conf
Description: On non-FIPS-enabled nodes, the encrypted key store that contains passwords used to access the ssl_keystore and ssl_userkeystore.
maprtrustcreds.bcfks
Location: /opt/mapr/conf
Description: On FIPS-enabled nodes, the encrypted trust store that contains passwords used to access the ssl_truststore and ssl_usertruststore.
maprtrustcreds.jceks
Location: /opt/mapr/conf
Description: On non-FIPS-enabled nodes, the encrypted trust store that contains passwords used to access the ssl_truststore and ssl_usertruststore.
ssl_keystore.bcfks
Location: /opt/mapr/conf
Description: On FIPS-enabled nodes, the encrypted key store that is generated by configure.sh and used by various data-fabric server-side components for TLS 1.2 communication.
ssl_truststore.bcfks
Location: /opt/mapr/conf
Description: On FIPS-enabled nodes, the encrypted trust store that is generated by configure.sh and used by various data-fabric server-side components for TLS 1.2 communication.
ssl_userkeystore.bcfks
Location: /opt/mapr/conf
Description: On FIPS-enabled nodes, the encrypted key store containing the private keys and the certificates for log-monitoring users.
ssl_usertruststore.bcfks
Location: /opt/mapr/conf
Description: On FIPS-enabled nodes, the encrypted trust store containing the public keys, and no private keys, for log-monitoring users.

Key Stores and Trust Stores Added for Release 6.2.0

The following key store and trust store files were added at release 6.2.0 to support SSL security for the log stack (Kibana, Elasticsearch, and Fluentd). As part of Enabling Security on a Configured Cluster, you must copy these files from the /opt/mapr/conf directory of the security master node to the /opt/mapr/conf directory on all other nodes, and assign the appropriate ownership and permissions.

ssl_userkeystore
Location: /opt/mapr/conf
Description: The key store containing the private keys and the certificates for log-stack users.
ssl_userkeystore.csr
Location: /opt/mapr/conf
Description: The certificate-signing request created when the certs are signed using the CA chain.
ssl_userkeystore.p12
Location: /opt/mapr/conf
Description: The PKCS#12 version of the ssl_userkeystore. The .p12 version of the file is reserved for future use.
ssl_userkeystore.pem
Location: /opt/mapr/conf
Description: The key store containing all of the certs from the ssl_userkeystore in the .pem format.
ssl_userkeystore-signed.pem
Location: /opt/mapr/conf
Description: The key store containing all of the signed certs from the ssl_userkeystore in the .pem format.
ssl_usertruststore
Location: /opt/mapr/conf
Description: The trust store containing the public keys, and no private keys, for the log-stack users.
ssl_usertruststore.p12
Location: /opt/mapr/conf
Description: The PKCS#12 version of the ssl_usertruststore. The .p12 version of the file is reserved for future use.
ssl_usertruststore.pem
Location: /opt/mapr/conf
Description: The key store containing all of the certs from the ssl_usertruststore in the .pem format.

Certificate Files in 6.2.0

The following files were added at release 6.2.0 to facilitate self-signing of data-fabric certificates. Previously, data-fabric certificates were unsigned. As part of Enabling Security on a Configured Cluster, you must copy these files from the /opt/mapr/conf directory of the security master node to the /opt/mapr/conf directory on all other nodes, and assign the appropriate ownership and permissions:

root-ca.pem
Location: /opt/mapr/conf/ca
Description: The root signing certificate authority.
chain-ca.pem
Location: /opt/mapr/conf/ca
Description: The chain certificate authority, which contains both the root CA and signing CA.
signing-ca.pem
Location: /opt/mapr/conf/ca
Description: The signing certificate authority.

KMIP Tokens Added in 6.2.0

External key store (KMIP) tokens were also added as part of release 6.2.0. The KMIP tokens are used for authentication and communication with an external key store. The tokens are contained in /opt/mapr/conf/tokens. Tokens must be copied to all the CLDB nodes in the cluster.

Key Stores and Trust Stores in Release 6.1.0

The following files are generated by running configure.sh -dare -genkeys on a CLDB node. Alternatively, you can generate them by running the manageSSLKeys.sh script. The ssl_keystore, ssl_keystore.p12, ssl_keystore.pem, ssl_truststore, ssl_truststore.p12, and ssl_truststore.pem files are also generated during installation of the Web server, even if you did not enable security. For more information, see Enabling Security on a Configured Cluster.

cldb.key
Location: /opt/mapr/conf
Description: The CLDB key file. This file must exist on all CLDB nodes and be identical. Releases 7.0.0 and later no longer use this key file. For more information, see Protection of CLDB and DARE Master Keys.
dare.master.key
Location: /opt/mapr/conf
Description: The key file that enables data-at-rest encryption. The dare.master.key file is generated only if data-at-rest encryption is enabled on the cluster. This file must be copied to all the nodes with the CLDB service installed.
maprserverticket
Location: /opt/mapr/conf
Description: The server ticket. This file must exist on all cluster nodes and be identical.
ssl-client.xml
Location (symlink): /opt/mapr/conf
Location (file): ${MAPR_HOME}/hadoop/hadoop-<version>/etc/hadoop/ssl-client.xml
Description: Contains the SSL configuration for the client in XML format.
ssl_keystore
Location: /opt/mapr/conf
Description: This file is needed on all nodes where the webserver is running.
ssl_keystore.p12
Location: /opt/mapr/conf
Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_keystore.p12 and ssl_truststore.p12 files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The .p12 files are required to generate the .pem files needed by Grafana and the Data Access Gateway. This step is necessary only for manual upgrades.
ssl_keystore.pem
Location: /opt/mapr/conf
Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_truststore.pem and ssl_keystore.pem files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The Data Access Gateway, Grafana, and Hue components use these files. This step is necessary only for manual upgrades.
ssl-server.xml
Location (symlink): /opt/mapr/conf
Location (file): ${MAPR_HOME}/hadoop/hadoop-<version>/etc/hadoop/ssl-server.xml
Description: Contains the SSL configuration for the server in XML format.
ssl_truststore
Location: /opt/mapr/conf
Description: contains the certificates required by nodes initiating communication over TLS.
ssl_truststore.p12
Location: /opt/mapr/conf
Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_keystore.p12 and ssl_truststore.p12 files, and copy them to the /opt/mapr/conf directory on all nodes in the cluster. The .p12 files are required to generate the .pem files needed by Grafana and the Data Access Gateway. This step is necessary only for manual upgrades.
ssl_truststore.pem
Location: /opt/mapr/conf
Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_truststore.pem and ssl_keystore.pem files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The Data Access Gateway, Grafana, and Hue components use these files. This step is necessary only for manual upgrades.