1,生成 keystore
在其中一個節點上執行如下命令
openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj '/C=CN/ST=beijing/L=chaoyang/O=xxxx/OU=dt/CN=xxxx.com'
生成 hdfs_ca_key,hdfs_ca_cert
將hdfs_ca_key,hdfs_ca_cert拷貝到集羣中的每個節點上
分別登錄每個節點執行一下命令
mkdir tmp
cd tmp
cp ../hdfs_ca_key .
cp ../hdfs_ca_cert .
// 生成 keystore
/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=${本節點的fqdn}, OU=DT, O=DT, L=CY, ST=BJ, C=CN"
//添加 CA 到 truststore
/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert
//從 keystore 中導出 cert
/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -certreq -alias localhost -keystore keystore -file cert
//用 CA 對 cert 簽名
openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial
//將 CA 的 cert 和用 CA 簽名之後的 cert 導入 keystore
/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert
/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias localhost -import -file cert_signed
將生成的文件拷貝到對應的目錄下
sudo mkdir /etc/https
sudo cp keystore /etc/https/keystore.jks
sudo cp truststore /etc/https/truststore.jks
sudo chmod 755 /etc/https
sudo chmod 644 /etc/https/keystore.jks
sudo chmod 644 /etc/https/truststore.jks
2,修改hdfs的配置
advanced hdfs-site選項中修改
dfs.datanode.address=0.0.0.0:61004
dfs.http.policy=HTTPS_ONLY
custom hdfs-site選項中添加
dfs.client.https.need-auth=false
dfs.data.transfer.protection=integrity
修改hadoop-env.sh,註釋以下內容
#On secure datanodes, user to run the datanode as after dropping privileges
#export HADOOP_SECURE_DN_USER=
配置ssl-client.xml
<configuration>
<property>
<name>ssl.client.truststore.location</name>
<value>/etc/https/truststore.jks</value>
<description>Truststore to be used by clients like distcp. Must be specified.</description>
</property>
<property>
<name>ssl.client.truststore.password</name>
<value>adminadmin</value>
<description>Optional. Default value is "".</description>
</property>
<property>
<name>ssl.client.truststore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".</description>
</property>
<property>
<name>ssl.client.truststore.reload.interval</name>
<value>10000</value>
<description>Truststore reload check interval, in milliseconds.Default value is 10000 (10 seconds).</description>
</property>
<property>
<name>ssl.client.keystore.location</name>
<value>/etc/https/keystore.jks</value>
<description>Keystore to be used by clients like distcp. Must be specified.</description>
</property>
<property>
<name>ssl.client.keystore.password</name>
<value>adminadmin</value>
<description>Optional. Default value is "".</description>
</property>
<property>
<name>ssl.client.keystore.keypassword</name>
<value>adminadmin</value>
<description>Optional. Default value is "".</description>
</property>
<property>
<name>ssl.client.keystore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration>
配置ssl-server.xml
<configuration>
<property>
<name>ssl.server.truststore.location</name>
<value>/etc/https/truststore.jks</value>
<description>Truststore to be used by NN and DN. Must be specified.</description>
</property>
<property>
<name>ssl.server.truststore.password</name>
<value>adminadmin</value>
<description>Optional. Default value is "".</description>
</property>
<property>
<name>ssl.server.truststore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".</description>
</property>
<property>
<name>ssl.server.truststore.reload.interval</name>
<value>10000</value>
<description>Truststore reload check interval, in milliseconds.Default value is 10000 (10 seconds).</description>
</property>
<property>
<name>ssl.server.keystore.location</name>
<value>/etc/https/keystore.jks</value>
<description>Keystore to be used by NN and DN. Must be specified.</description>
</property>
<property>
<name>ssl.server.keystore.password</name>
<value>adminadmin</value>
<description>Must be specified.</description>
</property>
<property>
<name>ssl.server.keystore.keypassword</name>
<value>adminadmin</value>
<description>Must be specified.</description>
</property>
<property>
<name>ssl.server.keystore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration>
爲Ambari_server設置truststore
ambari-server setup-security
Using python /usr/bin/python2.6
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): *4*
Do you want to configure a truststore [y/n] (y)? *y*
TrustStore type [jks/jceks/pkcs12] (jks): *jks*
Path to TrustStore file : /etc/https/truststore.jks
Password for TrustStore:
Re-enter password:
Ambari Server 'setup-security' completed successfully.
重啓ambari-server
ambari-server restart