manageSSLKeys.sh

Use the manageSSLKeys.sh utility to create and manage SSL certificates.

Syntax

# /opt/mapr/server/manageSSLKeys.sh
manageSSLKeys.sh is a tool to create and manage the SSL certificates.
It is run once on the first node from configure.sh
Usage: manageSSLKeys and one of
       create [-d DNSDOMAIN] [-N clustername] [-k keypass] [-t trustpass] -ug <maprUserGroup>
              creates the SSL key and trust stores needed for HTTPS traffic
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -N clustername
              -k password for key store or file containing the key store password
              -t password for trust store or file containing the trust store password
              -ug MapR user/group, e.g., mapr:mapr
       createcreds [-k keypass] -t trustpass -ug <maprUserGroup>
              creates the key and trust store credential files maprkeycreds and maprtrustcreds. This
              is normally used in mixed FIPS and non-FIPS configurations in addition to the convert utility.
              -k key store password. If not specified, the key credential file will not be created
              -t trust store password for creating the trust credential file. This is required
              -ug MapR user/group, e.g., mapr:mapr. This is required
       secureconfig [-N clustername] [-ug <maprUserGroup>] [-clientonly true|false] [-k keypass] [-t trustpass]
              Completes the secure configuration process. For internal use only
              -N clustername
              -ug MapR user/group, e.g., mapr:mapr
              -clientonly <true or false>
              -keypass Key store password. If specified, this overrides the key store password in the XML files
              -trustpass Trust store password. If specified, this overrides the trust store password in the XML files
       merge <in trust store> <out trust store> <inPassword> <outPassword>
             merges the certificates from the in trust store into the existing out trust store
             All arguments are required
       copytruststore <outputFile> <password for local trust store> [password for output (if different from local)]
       copywithconfiguredpassword (deprecated in 7.0, use changepassword instead) <srcStore> <destStore> <srcPassword>
       createrandompassword (deprecated in 7.0, use changepassword instead) [oldPassword (needed to override default password)]
       changepassword [-k <oldKeyPassword>] [-kp <newKeyPassword>] [-t <oldTrustPassword>] [-tp <newTrustPassword>]
              change key password or trust password or both
              -k password for key store or file containing the key store password
              -kp new password for key store, can only be used with -k option. If -k is used without -kp,
                  a new random password will be generated for key store
              -t password for trust store or file containing the trust store password
              -tp new password for trust store, can only be used with -t option. If -t is used without -tp,
                  a new random password will be generated for trust store
              (For a client node - must use both  -t old -tp new    and no -k )
       createusercert -u <user> -ug <maprUserGroup> [ -p <truststorepw> ] [ -k <keystorepw> ] [ -a <alias> ] [ -s <sanInfo> ]
              add a cert for specified user to the existing ssl_user[key|trust]stores.
              -a alias name for certificate
              -p password for trust store or file containing trust store password
              -k password for key store or file containing key store password
              -s SAN info to add to certificate - like 'DNS.1 = *.mydomain'
              -u user name to create certificate for
              -ug MapR user/group, e.g., mapr:mapr
       createusercerts [-p password] [-N <clustername> ] [-d DNSDOMAIN ] -ug <maprUserGroup>
              -N <clustername>
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -p password for trust store or file containing trust store password
              -ug MapR user/group, e.g., mapr:mapr
       convert [-N <clustername> ] [-k] [-n] -p <passwd> [-srcType JKS|bcfks|pkcs12] [-dstType JKS|bcfks|pkcs12] <in key/trust store> <out key/trust store>
              converts an existing key/trust store from one store type to another. If
              the destination store type is pkcs12, this creates a new PEM type key/trust store
              if srcType and dstType are not specified, it is assumed that you are
              converting from JKS to PEM via pkcs12
              -N <clustername>
              -a denotes the certificate alias you want to convert
              -k denotes you are converting a keystore
              -n do not create a PEM type key/trust store
              -p <passwd> store password. This is required
              -srcType JKS|bcfks|pkcs12 denotes the source format of the store
              -dstType JKS|bcfks|pkcs12 denotes the destination format of the store

Operations

manageSSLKeys.sh performs the following operations:

changepassword

Description: Changes the key password or trust password or both.

Format:

changepassword [-k <oldKeyPassword>] [-kp
                <newKeyPassword>] [-t <oldTrustPassword>] [-tp
              <newTrustPassword>]

Parameters:

-k: Password for the key store or file containing the key store password.
-kp: New password for the key store (can only be used with the -k option). If -k is used without -kp, a new random password is generated for the key store.
-t: Password for the trust store or a file containing the trust store password.
-tp: New password for the trust store (can only be used with the -t option). If -t is used without -tp, a new random password is generated for the trust store.

For a client node, you must use both -t (old) and -tp (new) and no -k. For more information about using changepassword, see Changing Key and Trust Store Passwords.

convert

Description: Converts an existing key/trust store into a new PEM type key/trust store. If you do not specify the type of the source and the destination key/trust store, it is assumed that you are converting from JKS to PEM (via pkcs12).

Format:

convert [-N <clustername> ] [-k] [-n] [-p <passwd>]
                [-srcType JKS|pkcs12] [-dstType JKS|pkcs12] <in key/trust store> <out
                key/trust store>

Parameters:

N: Cluster name.
a: Certificate alias to convert.
k: Indicates that a keystore is being converted.
p: Password of the existing key/trust store.
srcType: Format of the source key/trust store - either JKS or pkcs12.
dstType: Format of the destination key/trust store - either JKS or pkcs12.
in key/trust store: The existing key/trust store to convert.
out key/trust store: The name to use for the converted key/trust store.

copytruststore

Description: Makes a copy of the existing trust store on the node on which this command is run.

Format: copytruststore <outputFile> [password]

Parameters:

outputFile: The file in which to store the copy of the trust store.
password: The password of the trust store being copied.

copywithconfiguredpassword

Description: Copies the source trust store to the destination trust store and secures the destination with the existing destination trust store password.

Format:

copywithconfiguredpassword <srcStore> <destStore>
                <srcPassword>

Parameters:

srcStore: Source trust store to copy.
destStore: Destination trust store.
srcPassword: The password of the source trust store.

create

Description: Creates the SSL key and trust stores needed for HTTPS traffic.

Format:

create [-d DNSDOMAIN] [-N clustername] [-p password] -ug
                <maprUserGroup>

Parameters:

d: DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
N: Name of the cluster.
p: Password to use for the SSL key.
ug: User:Group to use for the key. For example: mapr:mapr.

createcreds

Description: Creates the key and trust store credential files maprkeycreds and maprtrustcreds. This command normally is used in mixed FIPS and non-FIPS configurations in addition to the convert utility.

Format:

createcreds [-k keypass] -t trustpass -ug
                <maprUserGroup>

Parameters:

-k: Key store password. If not specified, the key credential file is not created.
-t: Trust store password for creating the trust credential file. This parameter is required.
-ug: Cluster administrator user and group (for example, mapr:mapr). This parameter is required.

createusercert

Description: Adds a certificate for the specified user to the existing SSL user key or trust store.

Format:

createusercert -u <user> -ug <maprUserGroup> [ -p
                <truststorepw> ] [ -k <keystorepw> ] [ -a <alias> ] [ -s <sanInfo>
                ]

Parameters:

-a: Alias name for the certificate.
-p: Password for the trust store or a file containing the trust store password.
-k: Password for the key store or a file containing the key store password.
-s: SAN information to add to the certificate (for example: DNS.1=*mydomain).
-u: User name for which to create the certificate.
-ug: Cluster administrator user and group (for example, mapr:mapr).

createusercerts

Description: Creates SSL user certificates.

Format:

createusercerts [-p password] [-N <clustername> ] [-d
                DNSDOMAIN ] -ug <maprUserGroup>

Parameters:

p: Password to use for the SSL user certificate.
N: Name of the cluster.
d: DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
ug: User:Group to use for the certificate. For example: mapr:mapr.

merge

Description: Merges the SSL certificates from the in trust store into the existing out trust store.

Format:

merge <in trust store> <out trust store>
                [inPasswordFile]

Parameters:

in trust store: Source trust store from which to obtain the SSL certificates.
out trust store: Destination trust store to merge the SSL certificates.
inPasswordFile: File containing the password for the source trust store.

secureconfig

Description: Completes the secure configuration process. For internal use only.

Format:

secureconfig [-N clustername] [-ug <maprUserGroup>]
                [-clientonly true|false] [-k keypass] [-t trustpass]

Parameters:

-N: Cluster name.
-ug: Cluster administrator user and group (for example, mapr:mapr).
-clientonly: true or false.
-keypass: Key store password. If specified, this value overrides the key store password in the XML files.
-trustpass: Trust store password. If specified, this value overrides the trust store password in the XML files.

Examples

The following links demonstrate using the manageSSLKeys.sh utility.

Change password: Changing Key and Trust Store Passwords
Copy trust store: Enabling Security
Create user cert: Step 1: Restart and Check Cluster Services
Regenerate trust store password: Enabling Security
Merge trust store: Configuring Secure Clusters for Running Commands Remotely
Generate trust store and key store files: Step 1: Restart and Check Cluster Services and Configuring Encryption for ODBC Connection
Convert type of keystore file: Upgrading the Data Access Gateway