Password Protection with the Hadoop Credential Provider API

This section describes the credential stores on FIPS-enabled and secure non-FIPS-enabled hosts.

The previous section shows how distinct key and trust store passwords are stored on a non-secure host. On a secure host, the passwords are encrypted, and the passwords no longer appear in the Hadoop configuration files (ssl-client.xml and ssl-server.xml). They are stored in the credential stores and protected using the Hadoop Credential Provider API.

Credential Stores on a FIPS-Enabled Host

On a FIPS-enabled host, the credential stores are in BCFKS format.

Key Store Passwords

The key store passwords are encrypted in the BCFKS key credential store: ${MAPR_HOME}/conf/maprkeycreds.bcfks. To view the list of aliases in the BCFKS key credential store:

hadoop credential list -provider \ 
         localbcfks://file/opt/mapr/conf/maprkeycreds.bcfks 
ssl.server.keystore.password 
ssl.server.keystore.keypassword 
ssl.client.keystore.password 
ssl.client.keystore.keypassword

Trust Store Passwords

The trust store passwords are encrypted in the BCFKS trust credential store: ${MAPR_HOME}/conf/maprtrustcreds.bcfks. To view the aliases in the BCFKS trust credential store:

hadoop credential list -provider \ 
         localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks 
ssl.server.truststore.password 
ssl.client.truststore.password

If you omit the -provider option, the hadoop credential list command returns the aliases for the trust store passwords by default, since they are configured in core-site.xml. You must specify the -provider argument only if you want to view the aliases in the key store.

Key and Trust Store Providers

The Hadoop ${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/core-site.xml is configured with the BCFKS key and trust store providers:

<configuration> 
  <property> 
    <name>hadoop.security.credential.provider.path</name>
 
    <value>localbcfks://file/opt/mapr/conf/maprkeycreds.bcfks,localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks</value> 
    <description>Location of key and trust store credential file</description> 
  </property> 
</configuration>

Credential Stores on a Non-FIPS-Enabled Host

On a non-FIPS-enabled host, the credential stores are in JCEKS format.

Key Store Passwords

The key store passwords are encrypted in the JCEKS key credential store: ${MAPR_HOME}/conf/maprkeycreds.jceks. To view the list of aliases in the JCEKS key credential store:

hadoop credential list -provider \ 
         localjceks://file/opt/mapr/conf/maprkeycreds.jceks 
ssl.server.keystore.password 
ssl.server.keystore.keypassword 
ssl.client.keystore.password 
ssl.client.keystore.keypassword

Trust Store Passwords

The trust store passwords are encrypted in the JCEKS trust credential store: ${MAPR_HOME}/conf/maprtrustcreds.jceks. To view the aliases in the JCEKS trust credential store:

hadoop credential list -provider \ 
         localjceks://file/opt/mapr/conf/maprtrustcreds.jceks 
ssl.server.truststore.password 
ssl.client.truststore.password

If you omit the -provider option, the hadoop credential list command returns aliases for trust store passwords by default since they are configured in core-site.xml. Specify the -provider argument only to view aliases in the key store.

Key and Trust Store Providers

The Hadoop ${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/core-site.xml is configured with the JCEKS key and trust store providers:

<configuration> 
  <property> 
    <name>hadoop.security.credential.provider.path</name> 

    <value>localjceks://file/opt/mapr/conf/maprkeycreds.jceks,localjceks://file/opt/mapr/conf/maprtrustcreds.jceks</value> 
    <description>Location of key and trust store credential file</description> 
  </property> 
</configuration>