Encrypt the Oozie Keystore Password
About this task
IMPORTANT This component is deprecated. Hewlett Packard
Enterprise recommends using an alternate product. Deprecated components are either in
maintenance or have reached the end of their maintenance lifecycle. For more information,
see Discontinued Ecosystem Components.
Starting
from Oozie 5.1.0.0, follow these steps to encrypt the keystore password when Oozie is configured to use SSL. NOTE Oozie
5.1.0.0 is configured to use SSL by default on secure clusters.
Procedure
-
[OPTIONAL] Export the Hadoop credential store password as a system variable:
$ export HADOOP_CREDSTORE_PASSWORD=password
-
Add
oozie.https.keystore.pass
to thejceks
keystore:$ hadoop credential create oozie.https.keystore.pass -provider jceks://path/to/oozie.jceks Enter the password: Enter the password again: oozie.https.keystore.pass has been successfully created. org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
-
Once the
jceks
file is created, add thehadoop.security.credential.provider.path
property to theoozie-site.xml
file along with the path to the jceks file. The jceks path location can bemaprfs
or a local file (local-fs
).<property> <name>hadoop.security.credential.provider.path</name> <value>jceks://path/to/oozie.jceks</value> </property>
-
Update the
password
property to use*****
instead of a word-readable password:<property> <name>oozie.https.keystore.pass</name> <value>*****</value> </property>
What to do next
NOTE You can use the same
jceks
file for storing both database and keystore passwords.