Encrypt the Oozie Keystore Password

About this task

IMPORTANT This component is deprecated. Hewlett Packard Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.
Starting from Oozie 5.1.0.0, follow these steps to encrypt the keystore password when Oozie is configured to use SSL.
NOTE Oozie 5.1.0.0 is configured to use SSL by default on secure clusters.

Procedure

  1. [OPTIONAL] Export the Hadoop credential store password as a system variable:
    $ export HADOOP_CREDSTORE_PASSWORD=password
  2. Add oozie.https.keystore.pass to the jceks keystore:
    $ hadoop credential create oozie.https.keystore.pass -provider jceks://path/to/oozie.jceks
    Enter the password:
    Enter the password again:
    oozie.https.keystore.pass has been successfully created.
    org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
  3. Once the jceks file is created, add the hadoop.security.credential.provider.path property to the oozie-site.xml file along with the path to the jceks file. The jceks path location can be maprfs or a local file (local-fs).
    <property>
       <name>hadoop.security.credential.provider.path</name>
       <value>jceks://path/to/oozie.jceks</value>
    </property>
  4. Update the password property to use ***** instead of a word-readable password:
    <property>
      <name>oozie.https.keystore.pass</name>
      <value>*****</value>
    </property>

What to do next

NOTE You can use the same jceks file for storing both database and keystore passwords.