tonglin0325的个人主页

CDH5.16 Cloudera Manager启用TLS

tonglin0325

在集群中启用了认证和鉴权之后,Cloudera Manager Server 将会在网络中和集群的节点传输敏感信息,比如keytab和密码。为了加密这些数据,所以必须在Cloudera Manager Server和所有集群节点之间配置使用TLS加密。

TLS 加密还用于使用 HTTPS 保护与 Cloudera Manager 管理界面的客户端连接。

在CDH启用了kerberos之后,在Cloudera Manager界面中会有安全警告要求至少添加一级TLS加密

 

 

参考官方文档:Configuring TLS Encryption for Cloudera Manager

0638-6.1.0-Cloudera Manager配置TLS

Cloudera Manager配置TLS加密

大数据平台部署——CDH启用TLS加密传输

 

1.配置环境

1
2
export JAVA_HOME=/usr/java/jdk1.8.0_121

2.创建目录

1
2
sudo mkdir -p /opt/cloudera/security/pki

3.生成JKS和CSR

生成Java秘钥库(Java keystore)

切记使用相同的keystore password 和 key password。Cloudera Manager不支持为密钥和密钥库使用不同的密码。

1
2
3
4
5
6
7
root@master:/opt/cloudera/security/pki# $JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=Engineering,O=Cloudera,L=Palo Alto,ST=California,C=US" -ext san=dns:$(hostname -f)
Enter keystore password:
Re-enter new password:
Enter key password for <master>
        (RETURN if same as keystore password):
Re-enter new password:

生成证书签名请求(CSR)

1
2
3
4
5
root@master:/opt/cloudera/security/pki# $JAVA_HOME/bin/keytool -certreq -alias $(hostname -f) -keystore /opt/cloudera/security/pki/$(hostname -f).jks -file /opt/cloudera/security/pki/$(hostname -f).csr -ext san=dns:$(hostname -f) -ext EKU=serverAuth,clientAuth
Enter keystore password:
root@master:/opt/cloudera/security/pki# ls
master.csr  master.jks

4.提交CSR给CA,获得数字签名证书,这里采用openssl生成

生成私钥key,带密码

1
2
3
4
5
6
7
8
root@master:/opt/cloudera/security/pki# openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..................................+++
......................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

生成证书请求文件,csr文件

这个填写的信息需要和生成Java秘钥库的保持一致

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@master:/opt/cloudera/security/pki# openssl req -new -key ca.key -out ca.csr
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Palo Alto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cloudera
Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:master
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

用自己的私钥给自己签发根证书,生成crt文件

1
2
3
4
5
6
root@master:/opt/cloudera/security/pki# openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=California/L=Palo Alto/O=Cloudera/OU=Engineering/CN=master
Getting Private key
Enter pass phrase for ca.key:

用CA根证书来签名服务器端的证书请求文件,生成pem文件

参考:OpenSSL生成并使用CA根证书签名Keytool生成的证书请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@master:/opt/cloudera/security/pki# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in master.csr -out master.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 19 06:03:33 2022 GMT
            Not After : Jul 16 06:03:33 2032 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = Cloudera
            organizationalUnitName    = Engineering
            commonName                = master
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7F:4E:EC:8E:6D:44:9F:E2:63:65:6A:DC:86:A8:1B:35:20:AB:63:89
            X509v3 Authority Key Identifier:
                DirName:/C=US/ST=California/L=Palo Alto/O=Cloudera/OU=Engineering/CN=master
                serial:86:33:3F:52:47:19:6A:66

Certificate is to be certified until Jul 16 06:03:33 2032 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

创建的时候报错提示需要创建文件夹和文件

1
2
3
4
mkdir -p ./demoCA/newcerts
touch ./demoCA/index.txt
echo "01" > ./demoCA/serial

5.获得签署的证书之后,将其放到以下路径

1
2
/opt/cloudera/security/pki/$(hostname -f).pem

6.检查签名证书以验证服务器和客户端身份验证选项是否存在,以及使用者备用名称

1
2
openssl x509 -in /opt/cloudera/security/pki/$(hostname -f).pem -noout -text

7.CA证书复制 

 

 

 

tonglin0325

标签

标签云

AWS Airbnb Android CDH Doris ELK Flink Git Grafana HAProxy HBase Hadoop Hive Hudi InfluxDB JDBC JMeter JVM JavaSE JavaWeb LaTex Linkedin Linux ML ML Infra MPP Maven MySQL Nexus OpenTSDB Paper Play Prometheus Python React Redis RocksDB Scala Solr Spark SpringBoot SpringMVC Thrift YARN antlr arthas avro cassandra clickhouse confluent docker filebeat flume golang google gradle hexo impala jenkins k8s kafka kerberos kudu ldap mac mongo mybatis nginx nlp open-falcon parquet presto ranger scyllaDB twitter zookeeper 前端 图存储及计算 多线程 广告系统 开发工具 数据结构 杂谈 正则表达式 算法 系统设计 计算机网络 设计模式

文章归档

最近文章