Encrypt the Oozie Database User Password
About this task
IMPORTANT This component is deprecated. Hewlett Packard
Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.
Follow
these steps to encrypt the password when Oozie uses a MySQL database as the Oozie data store
(instead of the default Apache Derby database). Procedure
- Configure Oozie to use a MySQL database as described in Configure a MySQL Data Store for Oozie.
-
[OPTIONAL] Export the Hadoop credential store password as a system variable:
$ export HADOOP_CREDSTORE_PASSWORD=password
-
Add
oozie.service.jpaservice.jdbc.password
to thejceks
keystore:$ hadoop credential create oozie.service.jpaservice.jdbc.password -provider jceks://path/to/oozie.jceks Enter the password: Enter the password again: oozie.service.jpaservice.jdbc.password has been successfully created. org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
-
Verify that the MySQL password was added:
Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry Alias name: oozie.service.jpaservice.jdbc.password Creation date: Apr 11, 2018 Entry type: SecretKeyEntry
-
Once the
jceks
file is created, add thehadoop.security.credential.provider.path
property to theoozie-site.xml
file with the path to thejceks
file. Thejceks
path location can bemaprfs
or a local file (local-fs
).<property> <name>hadoop.security.credential.provider.path</name> <value>jceks://path/to/oozie.jceks</value> </property>
-
Update the
password
property to use*****
instead of a word-readable password:<property> <name>oozie.service.JPAService.jdbc.password</name> <value>*****</value> </property>