manageSSLKeys.sh

Use the manageSSLKeys.sh utility to create and manage SSL certificates.

Syntax

# /opt/mapr/server/manageSSLKeys.sh
manageSSLKeys.sh is a tool to create and manage the SSL certificates. It is run once on the first node from configure.sh
Usage: manageSSLKeys and one of
       create [-d DNSDOMAIN] [-N clustername] [-p password] -ug <maprUserGroup>
              creates the SSL key and trust stores needed for HTTPS traffic
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -N clustername
              -p password or file containing password
              -ug MapR user/group, e.g., mapr:mapr
       merge <in trust store> <out trust store> [inPasswordFile (needed to override default password)]
             merges the certificates from the in trust store into the existing out trust store
       copytruststore <outputFile> [password (needed to override default password)]
       copywithconfiguredpassword <srcStore> <destStore> <srcPassword>
       createrandompassword [oldPassword (needed to override default password)]
       createusercerts [-p password] [-N <clustername> ] [-d DNSDOMAIN ] -ug <maprUserGroup>
              -N <clustername>
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -p password or file containing password
              -ug MapR user/group, e.g., mapr:mapr
       convert [-N <clustername> ] [-k] [-n] [-p <passwd>] [-srcType JKS|pkcs12] [-dstType JKS|pkcs12] <in key/trust store> <out key/trust store>
              converts an existing key/trust store into a new PEM type key/trust store
              if srcType and dstType are not specified, it is assumed that you are
              converting from JKS to PEM(via pkcs12)
              -N <clustername>
              -a denotes the certificate alias you want to convert
              -k denotes you are converting a keystore
              -p <passwd> store password - needed if you are converting custom stores
              -srcType JKS|pkcs12 denotes the source format of the store
              -dstType JKS|pkcs12 denotes the destination format of the store

Operations

manageSSLKeys.sh performs the following operations:
create
Description: Creates the SSL key and trust stores needed for HTTPS traffic.
Format: create [-d DNSDOMAIN] [-N clustername] [-p password] -ug <maprUserGroup>
Parameters:
  • d: DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
  • N: Name of the cluster.
  • p: Password to use for the SSL key.
  • ug: User:Group to use for the key. For example: mapr:mapr.
merge
Description: Merges the SSL certificates from the in trust store into the existing out trust store.
Format: merge <in trust store> <out trust store> [inPasswordFile]
Parameters:
  • in trust store: Source trust store from which to obtain the SSL certificates.
  • out trust store: Destination trust store to merge the SSL certificates.
  • inPasswordFile: File containing the password for the source trust store.
copytruststore
Description: Makes a copy of the existing trust store on the node on which this command is run.
Format: copytruststore <outputFile> [password]
Parameters:
  • outputFile: The file in which to store the copy of the trust store.
  • password: The password of the trust store being copied.
copywithconfiguredpassword
Description: Copies the source trust store to the destination trust store and secures the destination with the existing destination trust store password.
Format: copywithconfiguredpassword <srcStore> <destStore> <srcPassword>
Parameters:
  • srcStore: Source trust store to copy.
  • destStore: Destination trust store.
  • srcPassword: The password of the source trust store.
createusercerts
Description: Creates SSL user certificates.
Format: createusercerts [-p password] [-N <clustername> ] [-d DNSDOMAIN ] -ug <maprUserGroup>
Parameters:
  • p: Password to use for the SSL user certificate.
  • N: Name of the cluster.
  • d: DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
  • ug: User:Group to use for the certificate. For example: mapr:mapr.
convert
Description: Converts an existing key/trust store into a new PEM type key/trust store. If you do not specify the type of the source and the destination key/trust store, it is assumed that you are converting from JKS to PEM (via pkcs12).
Format: convert [-N <clustername> ] [-k] [-n] [-p <passwd>] [-srcType JKS|pkcs12] [-dstType JKS|pkcs12] <in key/trust store> <out key/trust store>
Parameters:
  • N: Cluster name.
  • a: Certificate alias to convert.
  • k: Indicates that a keystore is being converted.
  • p: Password of the existing key/trust store.
  • srcType: Format of the source key/trust store - either JKS or pkcs12.
  • dstType: Format of the destination key/trust store - either JKS or pkcs12.
  • in key/trust store: The existing key/trust store to convert.
  • out key/trust store: The name to use for the converted key/trust store.

Examples

The following links demonstrate using the manageSSLKeys.sh utility.