Merging Trust Stores

Use the manageSSLKeys.sh merge command to merge two trust stores. This operation is required if you configure cross-cluster connectivity for server nodes or for client nodes that connect to multiple clusters.

Parameters for the manageSSLKeys.sh merge command are as shown below.

/opt/mapr/server/manageSSLKeys.sh merge \ 
    <in trust store> <out trust store> [inPassword [outPassword]]

The following table describes each manageSSLKeys.sh merge parameter:

Parameter	Description
`In trust store`	The input trust store for the destination cluster. Before running the command, copy the trust store from the destination cluster to a file in the current cluster.
`Out trust store`	The output trust store for the current cluster. This is typically `/opt/mapr/conf/ssl_truststore.bcfks` for FIPS-enabled nodes or `/opt/mapr/conf/ssl_truststore` for secure non-FIPS nodes.
`inPassword`	The password for `in trust store` or the path to a file containing the password.
`outPassword`	The password for `out trust store` or the path to a file containing the password.

The following example shows how to use the manageSSLKeys.sh merge command. Before merging the trust stores, note the two certificates: one for the root CA and the other for the server certificate.

# keytool -list -keystore /opt/mapr/conf/ssl_truststore.bcfks \ 
    -storepass eEJz0u2_Bmp46UrH_gH90rjjqT_LJu0u \ 
    -storetype bcfks \ 
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
    -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ 
    -providername BCFIPS 
Keystore type: BCFKS 
Keystore provider: BCFIPS 

Your keystore contains 2 entries 

fips0.cluster.com, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 09:D6:4C:9C:2A:E7:B3:81:65:1B:C4:B2:90:29:FD:DF:79:F5:B8:DD:76:24:64:B9:54:43:1C:B1:07:79:72:B9 
fips0.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): D3:88:9C:92:E8:A4:AA:C2:20:6B:B2:13:32:6C:BC:B4:40:E4:0C:6C:34:B1:43:DA:1D:44:BC:2C:48:28:60:1C

First copy the trust store for the other cluster to a location in the directory path. Use the keytool command to verify the contents of the trust store to be merged. You will need the trust store password of the remote cluster.

# keytool -list -keystore ssl_truststore.bcfks.fips1 \ 
    -storepass xjxL_K9qfrbsfH6TSscizoSiFSVMLECg \ 
    -storetype bcfks \ 
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
    -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ 
    -providername BCFIPS 

Keystore type: BCFKS 
Keystore provider: BCFIPS 

Your keystore contains 2 entries 

fips1.cluster.com, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): BD:BB:7B:C2:2F:2E:C7:26:7E:D2:BF:DF:CA:8B:CA:D5:2A:01:7C:CC:4D:46:45:22:7C:98:07:9A:51:80:21:EB 
fips1.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 46:45:28:69:73:CB:10:06:42:B9:9C:55:F2:44:0F:70:4D:A2:1D:8B:20:45:17:C4:47:D0:51:F8:30:74:7D:9A

Next merge the trust stores. In this example, ssl_truststore.bcfks.fips1 is the trust store for the remote cluster to be connected.

# /opt/mapr/server/manageSSLKeys.sh merge \ 
    ssl_truststore.bcfks.fips1 /opt/mapr/conf/ssl_truststore.bcfks \ 
    xjxL_K9qfrbsfH6TSscizoSiFSVMLECg \ 
    eEJz0u2_Bmp46UrH_gH90rjjqT_LJu0u 
Merging certificates from ssl_truststore.bcfks.fips1 into existing /opt/mapr/conf/ssl_truststore.bcfks

After the command completes successfully, use the keytool command to verify that the trust stores are successfully merged.

# keytool -list -keystore ssl_truststore.bcfks \ 
    -storepass eEJz0u2_Bmp46UrH_gH90rjjqT_LJu0u \ 
    -storetype bcfks \ 
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ 
    -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ 
    -providername BCFIPS 
Keystore type: BCFKS 
Keystore provider: BCFIPS 

Your keystore contains 4 entries 

fips0.cluster.com, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 09:D6:4C:9C:2A:E7:B3:81:65:1B:C4:B2:90:29:FD:DF:79:F5:B8:DD:76:24:64:B9:54:43:1C:B1:07:79:72:B9 
fips0.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): D3:88:9C:92:E8:A4:AA:C2:20:6B:B2:13:32:6C:BC:B4:40:E4:0C:6C:34:B1:43:DA:1D:44:BC:2C:48:28:60:1C 
fips1.cluster.com, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): BD:BB:7B:C2:2F:2E:C7:26:7E:D2:BF:DF:CA:8B:CA:D5:2A:01:7C:CC:4D:46:45:22:7C:98:07:9A:51:80:21:EB 
fips1.cluster.com-root-ca-chain, Sep 17, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 46:45:28:69:73:CB:10:06:42:B9:9C:55:F2:44:0F:70:4D:A2:1D:8B:20:45:17:C4:47:D0:51:F8:30:74:7D:9A