In small Hadoop Clusters, such as a cluster for demonstration, you can use self-signed certificates for SSL. Using self-signed certificates is less secure, for some services, such as Knox, to work with SSL the key must be imported into the Java CA store.
Create a self-signed certificate:
cd $SERVER_KEY_LOCATION ; keytool -genkey -alias $hostname -keyalg RSA -keysize 1024 -dname CN=Hortonworks,OU=hw,O=hw,L=paloalto,ST=ca,C=us -keypass $SERVER_KEYPASS_PASSWORD -keystore $KEYSTORE_FILE -storepass $SERVER_STOREPASS_PASSWORD
Export the certificate to a file.
cd $SERVER_KEY_LOCATION ; keytool -export -alias $hostname -keystore $KEYSTORE_FILE -rfc -file $CERTIFICATE_NAME -storepass $TRUSTSTORE_PASSWORD
On each host, run the following command to export a certreq file from the host’s keystore:
keytool -keystore keystore -alias `hostname -s` -certreq -file $host.cert -storepass $hoststorekey -keypass $hostkey
For example, to create self-signed certificates for the Hadoop SSL Keystore Factory on the local host run:
mkdir -p /etc/security/serverKeys ; mkdir -p /etc/security/clientKeys cd /etc/security/serverKeys ; keytool -genkey -alias $hostname -keyalg RSA -keysize 1024 -dname "CN=Hortonworks,OU=hw,O=hw,L=paloalto,ST=ca,C=us" -keypass changeit -keystore keystore.jks -storepass changeit cd /etc/security/serverKeys ; keytool -export -alias $hostname -keystore keystore.jks -rfc -file $hostname.jks -storepass changeit
Import the certificates:
keytool -keystore $hostkeystore -storepass $hoststorekey -alias `hostname -s` -import -file $host.signed -keypass $hostkey
Push the keystore and truststore files back out to the other nodes in the cluster (along with the Hadoop configuration files and SSL Server and Client configurations), the first time you will need to restart affected cluster services. After, you can push only the keystore and truststore files and they are automatically reloaded.
