Understanding the Key Store and Trust Store Files

Provides a comprehensive listing of the key store and trust store files.

Key Stores and Trust Stores Added for Release 6.2.0

The following key store and trust store files were added at release 6.2.0 to support SSL security for the log stack (Kibana, Elasticsearch, and Fluentd). As part of Enabling Security, you must copy these files from the /opt/mapr/conf directory of the security master node to the /opt/mapr/conf directory on all other nodes, and assign the appropriate ownership and permissions.

ssl_userkeystore: Location: /opt/mapr/conf; Description: The key store containing the private keys and the certificates for log-stack users.
ssl_userkeystore.csr: Location: /opt/mapr/conf; Description: The certificate-signing request created when the certs are signed using the CA chain.
ssl_userkeystore.p12: Location: /opt/mapr/conf; Description: The PKCS#12 version of the ssl_userkeystore. The .p12 version of the file is reserved for future use.
ssl_userkeystore.pem: Location: /opt/mapr/conf; Description: The key store containing all of the certs from the ssl_userkeystore in the .pem format.
ssl_userkeystore-signed.pem: Location: /opt/mapr/conf; Description: The key store containing all of the signed certs from the ssl_userkeystore in the .pem format.
ssl_usertruststore: Location: /opt/mapr/conf; Description: The trust store containing the public keys, and no private keys, for the log-stack users.
ssl_usertruststore.p12: Location: /opt/mapr/conf; Description: The PKCS#12 version of the ssl_usertruststore. The .p12 version of the file is reserved for future use.
ssl_usertruststore.pem: Location: /opt/mapr/conf; Description: The key store containing all of the certs from the ssl_usertruststore in the .pem format.

Certificate Files in 6.2.0

The following files were added at release 6.2.0 to facilitate self-signing of data-fabric certificates. Previously, data-fabric certificates were unsigned. As part of Enabling Security, you must copy these files from the /opt/mapr/conf directory of the security master node to the /opt/mapr/conf directory on all other nodes, and assign the appropriate ownership and permissions:

root-ca.pem: Location: /opt/mapr/conf/ca; Description: The root signing certificate authority.
chain-ca.pem: Location: /opt/mapr/conf/ca; Description: The chain certificate authority, which contains both the root CA and signing CA.
signing-ca.pem: Location: /opt/mapr/conf/ca; Description: The signing certificate authority.

KMIP Tokens Added in 6.2.0

External key store (KMIP) tokens were also added as part of release 6.2.0. The KMIP tokens are used for authentication and communication with an external key store. The tokens are contained in /opt/mapr/conf/tokens. Tokens must be copied to all the CLDB nodes in the cluster.

Key Stores and Trust Stores in Release 6.1.0

The following files are generated by running configure.sh -dare -genkeys on a CLDB node. Alternatively, you can generate them by running the manageSSLKeys.sh script. The ssl_keystore, ssl_keystore.p12, ssl_keystore.pem, ssl_truststore, ssl_truststore.p12, and ssl_truststore.pem files are also generated during installation of the Web server, even if you did not enable security. For more information, see Enabling Security.

cldb.key: Location: /opt/mapr/conf; Description: The CLDB key file. This file must exist on all CLDB nodes and be identical.
dare.master.key: Location: /opt/mapr/conf; Description: The key file that enables data-at-rest encryption. The dare.master.key file is generated only if data-at-rest encryption is enabled on the cluster. This file must be copied to all the nodes with the CLDB service installed.
maprserverticket: Location: /opt/mapr/conf; Description: The server ticket. This file must exist on all cluster nodes and be identical.
ssl-client.xml: Location (symlink): /opt/mapr/conf; Location (file): ${MAPR_HOME}/hadoop/hadoop-<version>/etc/hadoop/ssl-client.xml; Description: Contains the SSL configuration for the client in XML format.
ssl_keystore: Location: /opt/mapr/conf; Description: This file is needed on all nodes where the webserver is running.
ssl_keystore.p12: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_keystore.p12 and ssl_truststore.p12 files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The .p12 files are required to generate the .pem files needed by Grafana and the Data Access Gateway. This step is necessary only for manual upgrades.
ssl_keystore.pem: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_truststore.pem and ssl_keystore.pem files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The Data Access Gateway, Grafana, and Hue components use these files. This step is necessary only for manual upgrades.
ssl-server.xml: Location (symlink): /opt/mapr/conf; Location (file): ${MAPR_HOME}/hadoop/hadoop-<version>/etc/hadoop/ssl-server.xml; Description: Contains the SSL configuration for the server in XML format.
ssl_truststore: Location: /opt/mapr/conf; Description: contains the certificates required by nodes initiating communication over TLS.
ssl_truststore.p12: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_keystore.p12 and ssl_truststore.p12 files, and copy them to the /opt/mapr/conf directory on all nodes in the cluster. The .p12 files are required to generate the .pem files needed by Grafana and the Data Access Gateway. This step is necessary only for manual upgrades.
ssl_truststore.pem: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_truststore.pem and ssl_keystore.pem files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The Data Access Gateway, Grafana, and Hue components use these files. This step is necessary only for manual upgrades.