Key and Trust Store Password Protection

This section describes how keystore and truststore passwords are protected.

Password Protection in Release 6.2.0 and Earlier Releases

In release 6.2.0 and earlier releases of the HPE Ezmeral Data Fabric, key and trust store passwords are stored in clear text in the Hadoop ssl-server.xml and ssl-client.xml configuration files. They are the same for both key and trust stores. The following example shows how the passwords (in boldface) are configured in ${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/ssl-server.xml.

<configuration> 
...  
<property> 
  <name>ssl.server.truststore.password</name> 
  <value>AB8F93FAA45393F84BD358d0</value> 
  <description>Optional. Default value is "". 
  </description> 
</property> 
... 
<property> 
  <name>ssl.server.keystore.password</name> 
  <value>AB8F93FAA45393F84BD358d0</value> 
  <description>Must be specified. 
  </description> 
</property> 
<property> 
  <name>ssl.server.keystore.keypassword</name> 
  <value>AB8F93FAA45393F84BD358d0</value> 
  <description>Must be specified. 
  </description> 
</property> 
... 
</configuration>

Key store protection for release 6.2.0 and earlier is by file permissions. There is no protection for trust store passwords since the file permissions are world readable. Using the same password for both key and trust stores is undesirable. Key stores contain sensitive private keys that should be made available only to server applications that need them. Trust stores contain certificates that should be made available to server and client applications.

=

Password Protection in Release 7.0.0 and Later

In release 7.0.0, distinct passwords are generated: One for the key store and one for the trust store. Note that the key store password (used to protect the entire keystore) and key store key password (used to protect the keys in the keystore) are the same. Many applications expect them to be the same, especially for P12 key stores.

The following example shows how passwords (shown in boldface) are configured in release 7.0.0 in ${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/ssl-server.xml in a non-secure installation. (In secure installations, the clear-text passwords are removed from these configuration files and kept in the Hadoop Credentials stores.)
<configuration> 
...  
<property> 
  <name>ssl.server.truststore.password</name> 
  <value>895FA43FE91344DB98/_K35</value> 
  <description>Optional. Default value is "". 
  </description> 
</property> 
... 
<property> 
  <name>ssl.server.keystore.password</name> 
  <value>AB8F93FAA45393F84BD358d0</value> 
  <description>Must be specified. 
  </description> 
</property> 
<property> 
  <name>ssl.server.keystore.keypassword</name> 
  <value>AB8F93FAA45393F84BD358d0</value> 
  <description>Must be specified. 
  </description> 
</property> 
... 
</configuration>