Enabling Security
Describes how to enable security for the cluster, platform, ecosystem components, and network-based connections.
About this task
The following steps enable:
- Security for the cluster nodes
- Wire-level encryption for the platform and ecosystem components
- Authentication for all network-based connections
- (Optional) Data-at-rest encryption on the cluster
These steps DO NOT enable security for client nodes. For client-installation information, see Setting Up Clients and Services.
Use one of the following procedures based on the composition
of nodes in your cluster:
Enabling Security When All Nodes Are Non-FIPS
About this task
Use these steps to enable security for a cluster in which all nodes are non-FIPS-enabled nodes:
Procedure
- If the cluster is running, shut it down.
-
If you are re-running the
configure.shscript because of an invocation error from a previous run, remove the following files from${MAPR_HOME}/conf(if they are present) if you want to re-generate the CLDB key, server ticket, and certificates:- All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
maprkeycreds.jceksmaprtrustcreds.jceksssl_keystore, ssl_keystore.p12ssl_truststore, ssl_truststore.p12ssl_userkeystoressl_usertruststore
- All other files in
${MAPR_HOME}/confthat are generated and configured on the first CLDB node:- All PEM files:
ssl_keystore-signed.pemandssl_userkeystore-signed.pem - All files in the
${MAPR_HOME}/conf/tokensdirectory (but not thetokens/directory itself) maprserverticketmapruserticket- The
store-passwords.txtfile containing the clear-text passwords, if not already removed
- All PEM files:
cd /opt/mapr/conf rm -rf cldb.key maprserverticket mapruserticket ssl-client.xml \ ssl_keystore ssl_truststore ssl-server.xml *.bcfks *.pem tokens/* \ store-passwords.txt - All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
-
Run the
configure.shscript with the-secure -genkeys -dareoptions on the first CLDB node in your cluster:/opt/mapr/server/configure.sh -secure -dare -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>where both<Zookeeper_node_list>and<CLDB_node_list>have the formhostname[:port_no][,hostname[:port_no]...] and -N <cluster_name>specifies the cluster name. For the hostname, specify an FQDN as described in Connectivity. Do not specify an alias or IP address. The-dareoption is required only if you wish to enable data-at-rest encryption at the cluster-level.IMPORTANT You must runconfigure.shwith the-genkeysoption only after it is on one CLDB node. The resulting files should be generated only once and then copied to other nodes.NOTE The DARE master key is generated in thetokens/directory only if data at rest encryption is enabled on the cluster using the-dareoption withconfigure.sh.TIP For a comprehensive listing of the Trust and Key Store files, see Understanding the Key Store and Trust Store Files. -
Copy files to the destination nodes as follows:
- If your cluster consists of all secure non-FIPS-enabled nodes, use
the following table as a guide to copy files to the destination
nodes which are the nodes where the
-genkeysoption is not used to generate keys.
1If you are running Data Fabric 7.0.0.5 or later, theDestination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper Nodes conf/maprhsm.confconf/maprkeycreds.confconf/maprkeycreds.jceksconf/maprserverticketconf/maprtrustcreds.confconf/maprtrustcreds.jceksconf/private.key1conf/public.crt1conf/ssl_keystoreconf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_keystore-signed.pemconf/ssl_truststoreconf/ssl_truststore.p12conf/ssl_truststore.pemconf/ssl_userkeystoreconf/ssl_userkeystore.p12conf/ssl_userkeystore.pemconf/ssl_userkeystore-signed.pemconf/ssl_usertruststoreconf/ssl_usertruststore.p12conf/ssl_usertruststore.pemconf/tokens(use a command such asscp -rto copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/maprhsm.confconf/maprkeycreds.confconf/maprkeycreds.jceksconf/maprserverticketconf/maprtrustcreds.confconf/maprtrustcreds.jceksconf/private.key1conf/public.crt1conf/ssl_keystoreconf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_keystore-signed.pemconf/ssl_truststoreconf/ssl_truststore.p12conf/ssl_truststore.pemconf/ssl_userkeystoreconf/ssl_userkeystore.p12conf/ssl_userkeystore.pemconf/ssl_userkeystore-signed.pemconf/ssl_usertruststoreconf/ssl_usertruststore.p12conf/ssl_usertruststore.pem
private.keyandpublic.crtare not present and do not need to be copied to all other nodes. On Data Fabric 7.0.0.5, the/opt/mapr/conf/ssl_usertruststoreperforms this function and is present on all nodes.
- If your cluster consists of all secure non-FIPS-enabled nodes, use
the following table as a guide to copy files to the destination
nodes which are the nodes where the
-
Run
configure.shon each existing node in the cluster using the same arguments as in Step 3 but without the-genkeysoption.
The/opt/mapr/server/configure.sh -secure -dare -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>-secureoption indicates that security must be enabled on the node where the command is run. The-dareoption indicates that data at rest encryption must be enabled on the node and must be specified only if it was specified in Step 3.IMPORTANT- You must also do this on any nodes that you add to the cluster in the future.
- If you run
configure.sh -secureon a node before you copy the necessary files to that node, the command fails.
- Optionally, enable encrypted quorum ZooKeeper communication. See zoo.cfg for more information.
Enabling Security When All Nodes Are FIPS
About this task
Use these steps to enable security for a cluster in which all nodes are FIPS-enabled:
Procedure
- If the cluster is running, shut it down.
-
If you are re-running the
configure.shscript because of an invocation error from a previous run, remove the following files from${MAPR_HOME}/conf(if they are present) if you want to re-generate the CLDB key, server ticket, and certificates:- All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
maprkeycreds.bcfksmaprtrustcreds.bcfksssl_keystore (symlink), ssl_keystore.bcfksssl_truststore (symlink), ssl_truststore.bcfksssl_userkeystore (symlink), ssl_userkeystore.bcfksssl_usertruststore (symlink), ssl_usertruststore.bcfks
- All other files in
${MAPR_HOME}/confthat are generated and configured on the first CLDB node:- All PEM files:
ssl_keystore-signed.pemandssl_userkeystore-signed.pem - All files in the
${MAPR_HOME}/conf/tokensdirectory (but not thetokens/directory itself) maprserverticketmapruserticket- The
store-passwords.txtfile containing the clear-text passwords, if not already removed
- All PEM files:
cd /opt/mapr/conf rm -rf cldb.key maprserverticket mapruserticket ssl-client.xml \ ssl_keystore ssl_truststore ssl-server.xml *.bcfks *.pem tokens/* \ store-passwords.txt - All key and trust stores. The files differ depending on whether the
node is FIPS enabled. FIPS-enabled nodes use BCFKS key and trust
stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key and trust
stores:
-
Run the
configure.shscript with the-secure -genkeys -dareoptions on the first CLDB node in your cluster:/opt/mapr/server/configure.sh -secure -dare -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>where both<Zookeeper_node_list>and<CLDB_node_list>have the formhostname[:port_no][,hostname[:port_no]...] and -N <cluster_name>specifies the cluster name. For the hostname, specify an FQDN as described in Connectivity. Do not specify an alias or IP address. The-dareoption is required only if you wish to enable data at rest encryption at the cluster-level.IMPORTANT You must runconfigure.shwith the-genkeysoption only once on one CLDB node, since the resulting files should be generated only once and then copied to other nodes.NOTE The DARE master key is generated in thetokens/directory only if data at rest encryption is enabled on the cluster using the-dareoption withconfigure.sh.TIP For a comprehensive listing of the Trust and Key Store files, see Understanding the Key Store and Trust Store Files. -
Copy files to the destination nodes as follows:
- If your cluster consists of all FIPS-enabled nodes, use the
following table as a guide to copy files to the destination nodes
(the nodes where the
-genkeysoption is not used to generate keys):Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper Nodes conf/maprhsm.confconf/maprkeycreds.bcfksconf/maprkeycreds.confconf/maprserverticketconf/maprtrustcreds.bcfksconf/maprtrustcreds.confconf/private.key2conf/public.crt2conf/ssl_keystore.bcfks1conf/ssl_keystore-signed.pem1conf/ssl_keystore.p121conf/ssl_keystore.pem1conf/ssl_truststore.bcfks1conf/ssl_truststore.p121conf/ssl_truststore.pem1conf/ssl_userkeystore.bcfks1conf/ssl_userkeystore.pem1conf/ssl_userkeystore-signed.pem1conf/ssl_usertruststore.bcfks1conf/ssl_usertruststore.pem1conf/tokens(usescp -rto copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/maprhsm.confconf/maprkeycreds.bcfksconf/maprkeycreds.confconf/maprserverticketconf/maprtrustcreds.bcfksconf/maprtrustcreds.confconf/private.key2conf/public.crt2conf/ssl_keystore.bcfks1conf/ssl_keystore.p121conf/ssl_keystore.pem1conf/ssl_keystore-signed.pem1conf/ssl_truststore.bcfks1conf/ssl_truststore.p121conf/ssl_truststore.pem1conf/ssl_userkeystore.bcfks1conf/ssl_userkeystore.p121conf/ssl_userkeystore.pem1conf/ssl_userkeystore-signed.pem1conf/ssl_usertruststore.bcfks1conf/ssl_usertruststore.p121conf/ssl_usertruststore.pem1
1Do NOT copy thessl_symlink files contained in theconf/directory. The symlinks are:ssl_keystore(symlink)ssl_truststore(symlink)ssl_userkeystore(symlink)ssl_usertruststore(symlink)
2If you are running Data Fabric 7.0.0.5 or later, the
private.keyandpublic.crtare not present and do not need to be copied to all other nodes. On Data Fabric 7.0.0.5, the/opt/mapr/conf/ssl_usertruststoreperforms this function and is present on all nodes.
- If your cluster consists of all FIPS-enabled nodes, use the
following table as a guide to copy files to the destination nodes
(the nodes where the
-
Run
configure.shon each existing node in the cluster using the same arguments as in Step 3 but without the-genkeysoption.
The/opt/mapr/server/configure.sh -secure -dare -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>-secureoption indicates that security must be enabled on the node where the command is run. The-dareoption indicates that data at rest encryption must be enabled on the node and must be specified only if it was specified in Step 3.IMPORTANT- You must also do this on any nodes that you add to the cluster in the future.
- If you run
configure.sh -secureon a node before you copy the necessary files to that node, the command fails.
- Optionally, enable encrypted quorum ZooKeeper communication. See zoo.cfg for more information.
Enabling Security for a Mix of FIPS and Secure Non-FIPS Nodes
About this task
A mixed cluster is a cluster consisting of both FIPS-enabled and secure non-FIPS enabled nodes. Since the key and trust store formats are different between FIPS-enabled and secure non-FIPS enabled nodes, the BCFKS stores from FIPS-enabled nodes cannot be copied directly to secure non-FIPS enabled nodes, or vice versa. The Hadoop Credential stores also cannot be copied between FIPS-enabled and secure non-FIPS enabled nodes.
For a mixed configuration, you must:
- Generate the key and trust store, and user key and trust stores if
required, on the secure non-FIPS node using the new
${MAPR_HOME}/server/manageSSLKeys.sh convertutility:- After adding a FIPS-enabled node to a cluster consisting of only
non-FIPS enabled nodes, generate the BCFKS key and trust stores
on the non-FIPS enabled node. Copy them to the
${MAPR_HOME}/confdirectory of the FIPS-enabled node before runningconfigure.sh. - After adding a secure non-FIPS enabled node to a cluster consisting of only FIPS-enabled nodes, copy the BCFKS key and trust stores from the FIPS-enabled node to a temporary location in the secure non-FIPS enabled node. Generate the JKS key and trust store on the secure non-FIPS enabled node.
- After adding a FIPS-enabled node to a cluster consisting of only
non-FIPS enabled nodes, generate the BCFKS key and trust stores
on the non-FIPS enabled node. Copy them to the
- Run the
configure.shwith the-storepasswdsoption on the node being configured to generate the credential stores.
Enabling Security for the First CLDB Node
About this task
-secure flag is not specified to the
configure.sh script.Procedure
- If the cluster is running, shut it down.
-
If you are re-running the
configure.shscript because of an invocation error from a previous run, remove the following files from${MAPR_HOME}/conf(if they are present) if you want to re-generate the CLDB key, server ticket, and certificates:- All key and trust stores. The files differ depending on whether
the node is FIPS enabled. FIPS-enabled nodes use BCFKS key and
trust stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key
and trust stores:
FIPS Secure Non-FIPS maprkeycreds.bcfksmaprkeycreds.jceksmaprtrustcreds.bcfksmaprtrustcreds.jceksssl_keystore (symlink), ssl_keystore.bcfksssl_keystore, ssl_keystore.p12ssl_truststore (symlink), ssl_truststore.bcfksssl_truststore, ssl_truststore.p12ssl_userkeystore (symlink), ssl_userkeystore.bcfksssl_userkeystoressl_usertruststore (symlink), ssl_usertruststore.bcfksssl_usertruststore - All other files in
${MAPR_HOME}/confthat are generated and configured on the first CLDB node:- All PEM files:
ssl_keystore-signed.pemandssl_userkeystore-signed.pem - All files in the
${MAPR_HOME}/conf/tokensdirectory (but not thetokens/directory itself) maprserverticketmapruserticket- The
store-passwords.txtfile containing the clear-text passwords, if not already removed
- All PEM files:
cd /opt/mapr/conf rm -rf cldb.key maprserverticket mapruserticket ssl-client.xml \ ssl_keystore ssl_truststore ssl-server.xml *.bcfks *.pem tokens/* \ store-passwords.txt - All key and trust stores. The files differ depending on whether
the node is FIPS enabled. FIPS-enabled nodes use BCFKS key and
trust stores, while secure non-FIPS nodes use JKS/JCEKS/P12 key
and trust stores:
-
Run the
configure.shscript with the-secure -genkeys -dareoptions on the first CLDB node in your cluster:/opt/mapr/server/configure.sh -secure -dare -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list> -N <cluster_name>where both<Zookeeper_node_list>and<CLDB_node_list>have the formhostname[:port_no][,hostname[:port_no]...] and -N <cluster_name>specifies the cluster name. For the hostname, specify an FQDN as described in Connectivity. Do not specify an alias or IP address. The-dareoption is required only if you wish to enable data at rest encryption at the cluster-level.IMPORTANT You must runconfigure.shwith the-genkeysoption only once on one CLDB node, since the resulting files should be generated only once and then copied to other nodes.NOTE The DARE master key is generated in thetokens/directory only if data at rest encryption is enabled on the cluster using the-dareoption withconfigure.sh.
Enabling Security for Additional Cluster Nodes
About this task
To enable security for additional cluster nodes, run
configure.sh without the -genkeys
option after copying the required files to the node. For a mixed
configuration, first create the key and trust stores on the secure non-FIPS
node using the ${MAPR_HOME}/server/manageSSLKeys.sh convert
utility. Then copy these stores to the key and trust stores of the
additional cluster node: - If you are connecting an additional secure non-FIPS cluster node to
the first FIPS-enabled cluster node, copy the
ssl_keystore.bcfksandssl_truststore.bcfksfrom the${MAPR_HOME}/confdirectory of the first FIPS-enabled cluster node to the node being configured. Then run themanageSSLKeys.sh convertutility from the secure non-FIPS node. Copy the converted JKS key and trust stores to the additional secure non-FIPS cluster node (or simply specify the destination key/trust store as${MAPR_HOME}/conf/ssl_keystoreand${MAPR_HOME}/conf/ssl_truststorerespectively in the${MAPR_HOME}/server/manageSSLKeys.sh convertutility). - If you are connecting an additional FIPS-enabled cluster node to the
first secure non-FIPS cluster node, copy the JKS
ssl_keystoreandssl_truststorefrom the${MAPR_HOME}/confdirectory of the first secure non-FIPS cluster node to a temporary directory of the first node. Then run themanageSSLKeys.sh convertutility from the first secure non-FIPS node. Copy the converted BCFKS key and trust stores to the${MAPR_HOME}/confdirectory of the additional FIPS-enabled cluster node.
Adding a FIPS-Enabled Server to a FIPS Cluster
About this task
To connect a FIPS-enabled server to a cluster consisting of at least one FIPS-enabled node.
Procedure
-
Copy the following files from the existing FIPS-enabled server to the
new FIPS server:
Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper nodes conf/ssl_keystore.bcfksconf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_truststore.bcfksconf/ssl_truststore.p12conf/ssl_truststore.pemconf/maprkeycreds.bcfksconf/maprkeycreds.confconf/maprtrustcreds.bcfksconf/maprtrustcreds.confconf/maprhsm.confconf/maprhsm.confconf/maprserverticketconf/tokens(usescp -rto copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/ssl_keystore.bcfksconf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_truststore.bcfksconf/ssl_truststore.p12conf/ssl_truststore.pemconf/maprkeycreeds.bcfksconf/maprkeycreds.confconf/maprtrustcreds.bcfksconf/maprtrustcreds.confconf/maprhsm.confconf/maprserverticket-
conf/ca(use a command such asscp -rto copy everything in this folder)
CAUTION Do NOT copyconf/ssl_keystoreandconf/ssl_truststore. These are symbolic links tossl_keystore.bcfksandssl_truststore.bcfks, which will be generated by configure.sh.CAUTION When adding a non-FIPS node to a FIPS cluster, DO NOT copy the Hadoopssl*.xmlfiles to the other cluster nodes. ThemanageSSLKeys.shscript (invoked byconfigure.sh) uses the store type to determine if FIPS is enabled and assumes the system is FIPS-enabled if the store type is BCFKS. Copying the Hadoopssl*files that are set to the BCFKS store type from a FIPS node to a non-FIPS node causes theconfigure.shscript to fail. -
Run
configure.shwithout the-genkeysoption. For example, if the cluster name isfips0.cluster.comand the CLDB and ZooKeeper nodes are atm2-mapreng-vm166250, then the command is:/opt/mapr/server/configure.sh -secure -N fips0.cluster.com \ -C m2-mapreng-vm166250:7222
Adding a Secure Non-FIPS Server to a FIPS Cluster
About this task
Non-FIPS enabled nodes do not support the BCFKS trust store format. Copying the BCFKS trust store from a FIPS-enabled server to the non-FIPS enabled server that is being added will not work. Create the JKS trust store on the non-FIPS server by importing the same keys and certificates that are in the BCFKS key and trust stores on the existing FIPS-enabled server host. Different configuration procedures apply depending on whether you are configuring for the first cluster or for subsequent clusters.
Procedure
-
Copy the following files from an existing FIPS-enabled node in the
cluster to the new non-FIPS node being added:
Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper nodes conf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_truststore.p12conf/ssl_truststore.pemconf/maprkeycreds.confconf/maprtrustcreds.confconf/maprhsm.confconf/maprserverticketconf/tokens(usescp -rto copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_truststore.p12conf/ssl_truststore.pemconf/maprkeycreds.confconf/maprtrustcreds.confconf/maprhsm.confconf/maprserverticket-
conf/ca(use a command such asscp -rto copy everything in this folder)
CAUTION When adding a non-FIPS node to a FIPS cluster, DO NOT copy the Hadoopssl*.xmlfiles to the other cluster nodes. ThemanageSSLKeys.shscript (invoked byconfigure.sh) uses the store type to determine if FIPS is enabled and assumes the system is FIPS-enabled if the store type is BCFKS. Copying the Hadoopssl*files that are set to the BCFKS store type from a FIPS node to a non-FIPS node causes theconfigure.shscript to fail. -
Copy the following key store, trust store, userkey store, and usertrust
store files from the FIPS-enabled server to a temporary directory of the
secure non-FIPS enabled server being added:
${MAPR_HOME}/conf/ssl_keystore.bcfks${MAPR_HOME}/conf/ssl_truststore.bcfks${MAPR_HOME}/conf/ssl_userkeystore.bcfks${MAPR_HOME}/conf/ssl_usertruststore.bcfks
-
Run the
manageSSLKeys.sh convertutility to convert the key and trust store (and userkey and usertruststore) from BCFKS format to JKS format. The destination key and trust store will be set to the same password as the source key/trust store. You can obtain the key and trust store passwords from thestore-passwords.txtfile. For example:# /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /tmp/ssl_keystore.bcfks /opt/mapr/conf/ssl_keystore # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /tmp/ssl_truststore.bcfks /opt/mapr/conf/ssl_truststore # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /tmp/ssl_userkeystore.bcfks /opt/mapr/conf/ssl_userkeystore # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /tmp/ssl_usertruststore.bcfks /opt/mapr/conf/ssl_usertruststore -
Run the
configure.shscript without the-genkeysoption on the secure non-FIPS enabled server being added, using the-storepasswdsoption to specify the key and trust store passwords. Since the converted key and trust stores are set to the same password as the source, the passwords must be the same as the passwords you specified using the-poption in step 3. For example:# /opt/mapr/server/configure.sh -secure \ -N hpe186.cluster.com \ -C m2-mapreng-vm167186:7222 \ -Z m2-mapreng-vm167186:5181 \ -storepasswds \ VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC:1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA
Adding a FIPS Server to a Secure Non-FIPS Cluster
About this task
Use the following steps to connect a FIPS-enabled server to a cluster consisting of only secure non-FIPS enabled nodes:,
Procedure
-
Copy the following files from an existing secure non-FIPS node in the
cluster to the FIPS-enabled server being added:
Destination Node Type Copy these files under ${MAPR_HOME} to the destination node . . . CLDB and/or ZooKeeper nodes conf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_truststore.p12conf/ssl_truststore.pemconf/maprkeycreds.confconf/maprtrustcreds.confconf/maprhsm.confconf/maprserverticketconf/tokens(usescp -rto copy everything in this folder)
All other cluster nodes, including MFS-only nodes conf/ssl_keystore.p12conf/ssl_keystore.pemconf/ssl_truststore.p12conf/ssl_truststore.pemconf/maprkeycreds.confconf/maprtrustcreds.confconf/maprhsm.confconf/maprserverticketconf/ca(use a command such asscp -rto copy everything in this folder)
CAUTION When adding a non-FIPS node to a FIPS cluster, DO NOT copy the Hadoopssl*.xmlfiles to the other cluster nodes. ThemanageSSLKeys.shscript (invoked byconfigure.sh) uses the store type to determine if FIPS is enabled and assumes the system is FIPS-enabled if the store type is BCFKS. Copying the Hadoopssl*files that are set to the BCFKS store type from a FIPS node to a non-FIPS node causes theconfigure.shscript to fail. -
On the secure non-FIPS enabled server in the existing cluster, run the
manageSSLKeys.sh convertutility to convert the key and trust store (and userkey and usertruststore) from JKS to BCFKS format. You can obtain the key and trust store passwords from thestore-passwords.txtfile. For example:# /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /opt/mapr/conf/ssl_keystore /tmp/ssl_keystore.bcfks # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /opt/mapr/conf/ssl_truststore /tmp/ssl_truststore.bcfks # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC \ /opt/mapr/conf/ssl_userkeystore /tmp/ssl_userkeystore.bcfks # /opt/mapr/server/manageSSLKeys.sh convert \ -srcType JKS -dstType bcfks \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /opt/mapr/conf/ssl_usertruststore /tmp/ssl_usertruststore.bcfks -
Copy the converted
.bcfksfiles from the secure non-FIPS server to the FIPS server being added as follows:Copy this converted file . . . To this location on the FIPS server . . . ssl_keystore.bcfks/opt/mapr/conf/ssl_keystore.bcfksssl_userkeystore.bcfks/opt/mapr/conf/ssl_userkeystore.bcfksssl_truststore.bcfks/opt/mapr/conf/ssl_truststore.bcfksssl_usertruststore.bcfks/opt/mapr/conf/ssl_usertruststore.bcfks -
Run
configure.shwithout the-genkeysoption on the FIPS enabled server being added, using the-storepasswdsoption to specify the key and trust store passwords. Since the converted BCFKS key and trust store is set to the same password as the source, the passwords must be the same as the passwords specified using the-poption in step 2. For example:/opt/mapr/server/configure.sh -secure \ -N hpe186.cluster.com \ -C m2-mapreng-vm167186:7222 \ -Z m2-mapreng-vm167186:5181 \ -storepasswds \ VccOl_Qhg3Ix6tLaRJhzr_b53judiaKC:1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA