Understanding the Key Store and Trust Store Files

Provides a comprehensive listing of the key store and trust store files.

Key Stores and Trust Stores Added for Release 7.0.0

Release 7.0.0 added the following key store and trust store files to support FIPS compliance. For Java applications, the Bouncy Castle BCFKS key and trust stores are used. This is new for release 7.0.0. For non-Java applications, the existing PKCS#12 key and trust stores, as well as PEM files are used.

As part of Enabling Security, you must copy the key and trust stores, as well as the associated key and trust store credentials, from the /opt/mapr/conf directory of the first CLDB node to the /opt/mapr/conf directory on all other server nodes. For client-only nodes, only copy the trust stores and the associated trust store credentials.

maprkeycreds.bcfks: Location: /opt/mapr/conf; Description: On FIPS-enabled nodes, the encrypted key store that contains passwords used to access the ssl_keystore andssl_userkeystore.
maprkeycreds.jceks: Location: /opt/mapr/conf; Description: On non-FIPS-enabled nodes, the encrypted key store that contains passwords used to access the ssl_keystore andssl_userkeystore.
maprtrustcreds.bcfks: Location: /opt/mapr/conf; Description: On FIPS-enabled nodes, the encrypted trust store that contains passwords used to access the ssl_truststore and ssl_usertruststore.
maprtrustcreds.jceks: Location: /opt/mapr/conf; Description: On non-FIPS-enabled nodes, the encrypted trust store that contains passwords used to access the ssl_truststore and ssl_usertruststore.
ssl_keystore.bcfks: Location: /opt/mapr/conf; Description: On FIPS-enabled nodes, the encrypted key store that is generated by configure.sh and used by various data-fabric server-side components for TLS 1.2 communication.
ssl_truststore.bcfks: Location: /opt/mapr/conf; Description: On FIPS-enabled nodes, the encrypted trust store that is generated by configure.sh and used by various data-fabric server-side components for TLS 1.2 communication.
ssl_userkeystore.bcfks: Location: /opt/mapr/conf; Description: On FIPS-enabled nodes, the encrypted key store containing the private keys and the certificates for log-monitoring users.
ssl_usertruststore.bcfks: Location: /opt/mapr/conf; Description: On FIPS-enabled nodes, the encrypted trust store containing the public keys, and no private keys, for log-monitoring users.

Key Stores and Trust Stores Added for Release 6.2.0

The following key store and trust store files were added at release 6.2.0 to support SSL security for the log stack (Kibana, Elasticsearch, and Fluentd). As part of Enabling Security, you must copy these files from the /opt/mapr/conf directory of the security master node to the /opt/mapr/conf directory on all other nodes, and assign the appropriate ownership and permissions.

ssl_userkeystore: Location: /opt/mapr/conf; Description: The key store containing the private keys and the certificates for log-stack users.
ssl_userkeystore.csr: Location: /opt/mapr/conf; Description: The certificate-signing request created when the certs are signed using the CA chain.
ssl_userkeystore.p12: Location: /opt/mapr/conf; Description: The PKCS#12 version of the ssl_userkeystore. The .p12 version of the file is reserved for future use.
ssl_userkeystore.pem: Location: /opt/mapr/conf; Description: The key store containing all of the certs from the ssl_userkeystore in the .pem format.
ssl_userkeystore-signed.pem: Location: /opt/mapr/conf; Description: The key store containing all of the signed certs from the ssl_userkeystore in the .pem format.
ssl_usertruststore: Location: /opt/mapr/conf; Description: The trust store containing the public keys, and no private keys, for the log-stack users.
ssl_usertruststore.p12: Location: /opt/mapr/conf; Description: The PKCS#12 version of the ssl_usertruststore. The .p12 version of the file is reserved for future use.
ssl_usertruststore.pem: Location: /opt/mapr/conf; Description: The key store containing all of the certs from the ssl_usertruststore in the .pem format.

Certificate Files in 6.2.0

The following files were added at release 6.2.0 to facilitate self-signing of data-fabric certificates. Previously, data-fabric certificates were unsigned. As part of Enabling Security, you must copy these files from the /opt/mapr/conf directory of the security master node to the /opt/mapr/conf directory on all other nodes, and assign the appropriate ownership and permissions:

root-ca.pem: Location: /opt/mapr/conf/ca; Description: The root signing certificate authority.
chain-ca.pem: Location: /opt/mapr/conf/ca; Description: The chain certificate authority, which contains both the root CA and signing CA.
signing-ca.pem: Location: /opt/mapr/conf/ca; Description: The signing certificate authority.

KMIP Tokens Added in 6.2.0

External key store (KMIP) tokens were also added as part of release 6.2.0. The KMIP tokens are used for authentication and communication with an external key store. The tokens are contained in /opt/mapr/conf/tokens. Tokens must be copied to all the CLDB nodes in the cluster.

Key Stores and Trust Stores in Release 6.1.0

The following files are generated by running configure.sh -dare -genkeys on a CLDB node. Alternatively, you can generate them by running the manageSSLKeys.sh script. The ssl_keystore, ssl_keystore.p12, ssl_keystore.pem, ssl_truststore, ssl_truststore.p12, and ssl_truststore.pem files are also generated during installation of the Web server, even if you did not enable security. For more information, see Enabling Security.

cldb.key: Location: /opt/mapr/conf; Description: The CLDB key file. This file must exist on all CLDB nodes and be identical. Releases 7.0.0 and later no longer use this key file. For more information, see Protection of CLDB and DARE Master Keys.
dare.master.key: Location: /opt/mapr/conf; Description: The key file that enables data-at-rest encryption. The dare.master.key file is generated only if data-at-rest encryption is enabled on the cluster. This file must be copied to all the nodes with the CLDB service installed.
maprserverticket: Location: /opt/mapr/conf; Description: The server ticket. This file must exist on all cluster nodes and be identical.
ssl-client.xml: Location (symlink): /opt/mapr/conf; Location (file): ${MAPR_HOME}/hadoop/hadoop-<version>/etc/hadoop/ssl-client.xml; Description: Contains the SSL configuration for the client in XML format.
ssl_keystore: Location: /opt/mapr/conf; Description: This file is needed on all nodes where the webserver is running.
ssl_keystore.p12: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_keystore.p12 and ssl_truststore.p12 files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The .p12 files are required to generate the .pem files needed by Grafana and the Data Access Gateway. This step is necessary only for manual upgrades.
ssl_keystore.pem: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_truststore.pem and ssl_keystore.pem files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The Data Access Gateway, Grafana, and Hue components use these files. This step is necessary only for manual upgrades.
ssl-server.xml: Location (symlink): /opt/mapr/conf; Location (file): ${MAPR_HOME}/hadoop/hadoop-<version>/etc/hadoop/ssl-server.xml; Description: Contains the SSL configuration for the server in XML format.
ssl_truststore: Location: /opt/mapr/conf; Description: contains the certificates required by nodes initiating communication over TLS.
ssl_truststore.p12: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_keystore.p12 and ssl_truststore.p12 files, and copy them to the /opt/mapr/conf directory on all nodes in the cluster. The .p12 files are required to generate the .pem files needed by Grafana and the Data Access Gateway. This step is necessary only for manual upgrades.
ssl_truststore.pem: Location: /opt/mapr/conf; Description: When upgrading from Core 5.2.2 or Core 6.0.x to data-fabric 6.1 or later, create the ssl_truststore.pem and ssl_keystore.pem files. Copy them to the /opt/mapr/conf directory on all nodes in the cluster. The Data Access Gateway, Grafana, and Hue components use these files. This step is necessary only for manual upgrades.