Motivation
I expanded my tool for enabling wired encryption in the HDP cluster.
https://github.com/stanislawbartkowski/hdpwiredencryption
Previously, only self-signed certificates were supported. I added automation for CA-signed certificates. Important: it works only if CA-signed certificate package follows the supported format.
There are two paths possible: self-signed certificates and CA-signed certificates.
Self-signed certificates
- ./run.sh 0 Creates self-signed certificate and truststores for every node.
- ./run.sh.1 Creates and distributes all-client truststore.
- ./run.sh 2 Secure keystores and truststores. Apply owner and Linux permissions.
CA-signed certificates
- ./run.sh 3 Creates self-signed certificates and CSR (Certificate Signing Request) for every node
- Manual step. Send all CSR to CA centre for signing. The CA-signed certificates should be stored in a designed format.
- ./run.sh 4 CA-signed certificates are imported into corresponding keystore and replacing the self-signed certificates. Truststores are created.
- ./run.sh 1 Creates and distributes all-client trustore.
- ./run.sh 2 Secure keystores and trustores.
Bonus
https://github.com/stanislawbartkowski/hdpwiredencryption/wiki
There is a number of pages containing practical steps on how to enable SSL for HDP components. It is based on documentation but more practical based on experience.
For instance:
