manageSSLKeys.sh

Use the manageSSLKeys.sh utility to create and manage SSL certificates.

Syntax

# /opt/mapr/server/manageSSLKeys.sh
manageSSLKeys.sh is a tool to create and manage the SSL certificates.
it is run once on the first node from configure.sh
Usage: manageSSLKeys and one of
     create [-d DNSDOMAIN] [-N clustername]
        creates the SSL key and trust stores needed for HTTPS traffic
        -d specifies DNS domain used in wildcard certificate. Default is detected from Local OS
        -N clustername
        -ug MapR user/group, e.g., mapr:mapr
     merge <in trust store> <out trust store>
        merges the certificates from the in trust store into the existing out trust store
     convert [-N <clustername> ] [-k] [-n] [-p <passwd>] [-srcType JKS|pkcs12] [-dstType JKS|pkcs12] <in key/trust store> <out key/trust store>
        converts an existing key/trust store into a new PEM type key/trust store
        if srcType and dstType are not specified, it is assumed that you are 
        converting from JKS to PEM(via pkcs12)
        -N <clustername>
        -k denotes you are converting a keystore
        -n Skips creating the PEM file when converting the key/trust store from JKS to PKCS12 format
        -p <passwd> store password - needed if you are converting custom stores
        -srcType JKS|pkcs12 denotes the source format of the store
        -dstType JKS|pkcs12 denotes the destination format of the store

Operations

manageSSLKeys.sh performs the following operations:

create

Description: Creates the SSL key and trust stores needed for HTTPS traffic.

Format:

create [-d DNSDOMAIN] [-N clustername] -ug
                <maprUserGroup>

Parameters:

d: DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
N: Name of the cluster.
ug: User:Group to use for the key. For example: mapr:mapr.

merge

Description: Merges the SSL certificates from the in trust store into the existing out trust store.

Format: merge <in trust store> <out trust store>

Parameters:

in trust store: Source trust store from which to obtain the SSL certificates.
out trust store: Destination trust store to merge the SSL certificates.

convert

Description: Converts an existing key/trust store into a new PEM type key/trust store. If you do not specify the type of the source and the destination key/trust store, it is assumed that you are converting from JKS to PEM (via pkcs12).

Format:

convert [-N <clustername> ] [-k] [-n] [-p <passwd>]
                [-srcType JKS|pkcs12] [-dstType JKS|pkcs12] <in key/trust store> <out
                key/trust store>

Parameters:

N: Cluster name.
k: Indicates that a keystore is being converted.
n: Skips creating the PEM file when converting the key/trust store from JKS to PKCS12 format
p <passwd>: store password - needed if you are converting custom stores.
srcType: Format of the source key/trust store - either JKS or pkcs12.
dstType: Format of the destination key/trust store - either JKS or pkcs12.
in key/trust store: The existing key/trust store to convert.
out key/trust store: The name to use for the converted key/trust store.

Examples

The following links demonstrate using the manageSSLKeys.sh utility.

Merge trust store: Configuring Secure Clusters for Running Commands Remotely
Generate trust store and key store files: Step 1: Restart and Check Cluster Services and Configuring Encryption for ODBC Connection
Convert type of keystore file: Upgrading the MapR Data Access Gateway