前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >0638-6.1.0-Cloudera Manager配置TLS

0638-6.1.0-Cloudera Manager配置TLS

作者头像
Fayson
发布2019-05-23 15:44:55
2.2K0
发布2019-05-23 15:44:55
举报
文章被收录于专栏:Hadoop实操

作者:李继武

1

文档编写目的

本文档主要介绍如何为已经安装好的CDH集群配置Cloudera Manager启用TLS。

  • 主要内容

1. Certificate Authority搭建

2. 创建节点证书

3. 配置Cloudera Manager Console使用TLS协议

4. Cloudera Manager Agents配置TLS

5. 配置Cloudera Manager Agents认证Server证书

6. 配置Cloudera Manager Server认证Agent证书

  • 环境介绍

1. CDH6.1.0

2. RedHat7.2

2

Certificate Authority搭建

由于CDH集群大部分都是在内网当中,无法用到PUBLIC CA,因此需要搭建内网CA,这里使用OpenSSL Certificate Authority。

2.1

Root CA

1. 创建文件夹存放keys和certificates

代码语言:javascript
复制
mkdir /root/ca

2. 在该目录下创建根CA的目录结构

代码语言:javascript
复制
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

3. 准备配置文件/root/ca/openssl.cnf,内容如下:

代码语言:javascript
复制
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir               = /root/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address
# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = England
localityName_default            =
0.organizationName_default      = Alice Ltd
organizationalUnitName_default  =
emailAddress_default            =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server,client
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

4. 创建root key

代码语言:javascript
复制
cd /root/ca
openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem

5. 创建root certificate

代码语言:javascript
复制
cd /root/ca
openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem

6. 验证root certificate

代码语言:javascript
复制
openssl x509 -noout -text -in certs/ca.cert.pem

2.2

Intermediate CA

1. 在根CA目录下创建一个intermediate目录用于存放Intermediate CA的文件

代码语言:javascript
复制
mkdir /root/ca/intermediate

2. 创建Intermediate CA目录结构

代码语言:javascript
复制
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > /root/ca/intermediate/crlnumber

3. 准备配置文件/root/ca/intermediate/openssl.cnf,内容如下:

代码语言:javascript
复制
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir               = /root/ca/intermediate
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
# The root key and root certificate.
private_key       = $dir/private/intermediate.key.pem
certificate       = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address
# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = England
localityName_default            =
0.organizationName_default      = Alice Ltd
organizationalUnitName_default  =
emailAddress_default            =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server,client
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

4. 创建 intermediate key

代码语言:javascript
复制
cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096
chmod 400 intermediate/private/intermediate.key.pem

5. 创建intermediate certificate signing request(CSR)

代码语言:javascript
复制
cd /root/ca
openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem
chmod 400 intermediate/private/intermediate.key.pem

6. 生成intermediate certificate

代码语言:javascript
复制
cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem

7. 像验证root certificate一样验证intermediate certificate

代码语言:javascript
复制
openssl x509 -noout -text \
      -in intermediate/certs/intermediate.cert.pem

8. 依据root certificate验证intermediate certificate,验证通过返回OK。

代码语言:javascript
复制
openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem

9. 创建certificate chain file

代码语言:javascript
复制
cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

3

创建节点证书

以下操作在集群所有节点都需要操作

1. 配置JAVA_HOME环境变量

代码语言:javascript
复制
export JAVA_HOME=/usr/java/jdk1.8.0_141-cloudera
export PATH=$PATH:$JAVA_HOME/bin

2. 创建目录存放证书

代码语言:javascript
复制
mkdir -p /opt/cloudera/security/pki

3. 生成 Java keystore

代码语言:javascript
复制
$JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=dev,O=macro,L=sz,ST=gd,C=zh" -ext san=dns:$(hostname -f)

4. 根据java keystore生成certificate signing request(CSR)

代码语言:javascript
复制
$JAVA_HOME/bin/keytool -certreq -alias $(hostname -f) -keystore /opt/cloudera/security/pki/$(hostname -f).jks -file /opt/cloudera/security/pki/$(hostname -f).csr -ext san=dns:$(hostname -f) -ext EKU=serverAuth,clientAuth

5. 将各节点生成的/opt/cloudera/security/pki/$(hostname -f).csr发送到自搭建的CA服务器上

代码语言:javascript
复制
scp /opt/cloudera/security/pki/$(hostname -f).csr hadoop12:/root/ca/intermediate/csr

6. 根据如下步骤在CA服务器上依次为每一个节点的CSR生成certificate

修改/root/ca/intermediate/openssl.cnf,在[ server_cert ]下添加subjectAltName=DNS:{对应的节点域名},比如

使用如下命令为该节点生成certificate

代码语言:javascript
复制
openssl ca -config /root/ca/intermediate/openssl.cnf \
      -extensions server_cert \
      -days 3000 \
      -notext \
      -in /root/ca/intermediate/csr/hadoop12.csr \
      -out /root/ca/intermediate/certs/hadoop12.pem

依次生成其余节点的certificate

7. 将certificate发送回对应的节点的/opt/cloudera/security/pki目录下

代码语言:javascript
复制
scp /root/ca/intermediate/certs/hadoop12.pem hadoop12:/opt/cloudera/security/pki/

8. 验证每一个节点上的证书

代码语言:javascript
复制
openssl x509 -in /opt/cloudera/security/pki/$(hostname -f).pem -noout -text

在结果中需要有如下内容:

9. 拷贝root 和intermediate CA certificates到所有节点的/opt/cloudera/security/pki目录下,并重命名为rootca.pem和intca.pem

代码语言:javascript
复制
scp /root/ca/certs/ca.cert.pem hadoop12:/opt/cloudera/security/pki/rootca.pem
scp /root/ca/intermediate/certs/intermediate.cert.pem hadoop13:/opt/cloudera/security/pki/intca.pem

10. 执行如下的命令将JDK的cacerts文件拷贝到jssecacerts

代码语言:javascript
复制
cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts

11. 将root CA certificate导入到jssecacerts当中

代码语言:javascript
复制
sudo $JAVA_HOME/bin/keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts -file /opt/cloudera/security/pki/rootca.pem

12. 将intermediate CA certificate添加到各节点的节点证书中,并将其导入到java keystore中

代码语言:javascript
复制
sudo cat /opt/cloudera/security/pki/intca.pem >> /opt/cloudera/security/pki/$(hostname -f).pem
sudo $JAVA_HOME/bin/keytool -importcert -alias $(hostname -f) -file /opt/cloudera/security/pki/$(hostname -f).pem -keystore /opt/cloudera/security/pki/$(hostname -f).jks

13. 创建软连接

代码语言:javascript
复制
ln -s /opt/cloudera/security/pki/$(hostname -f).pem /opt/cloudera/security/pki/agent.pem

14. 在Cloudera Manager Server节点上,创建如下软连接

代码语言:javascript
复制
ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/server.jks

4

配置Cloudera Manager Console使用TLS协议

1. 打开CM的控制界面,选Administration下的Settings.

2. 点击“CATEGORY”中的“security”

3. 填写如下选项

点击“Save Changes”保存

4. 打开Cloudera Manager Service,点击“configuration”,在SCOPE中选择“Cloudera Management Service”

5. 再点击“Category”中的“>Security”

6. 填写如下配置项

点击“Save Changes”保存

7. 重启cloudera-scm-server

代码语言:javascript
复制
systemctl restart cloudera-scm-server

重新登录后,可发现CM控制界面的地址端口更改为7183,使用https协议传输,选择信任证书后登录

输入账户名密码admin/admin

登录:

8. 重启Cloudera Manager Service

5

Cloudera Manager Agents配置TLS

1. 打开CM的控制界面,选Administration下的Settings.

2. 点击“CATEGORY”中的“security”

3. 勾选“Use TLS Encryption for Agents”,点击“Save Changes”保存

4. 修改所有agent节点的/etc/cloudera-scm-agent/config.ini文件,也可在一台上修改完之后分发到其他agent节点上

修改server_host为server的主机名,而不用IP

设置[Security]下的use_tls为1

分发到其他agent节点

代码语言:javascript
复制
scp /etc/cloudera-scm-agent/config.ini hadoop13:/etc/cloudera-scm-agent/

5. 重启server和所有的agent服务

代码语言:javascript
复制
systemctl restart cloudera-scm-server
systemctl restart cloudera-scm-agent

6. 打开控制界面,在所有主机中可以检测到所有节点的心跳信号,说明配置成功

6

Cloudera Manager Agents配置认证Server证书

1. 修改所有agent节点的/etc/cloudera-scm-agent/config.ini文件,也可在一台上修改完之后分发到其他agent节点上

在[Security]下添加如下配置

代码语言:javascript
复制
verify_cert_file=/opt/cloudera/security/pki/rootca.pem

分发到所有节点

代码语言:javascript
复制
scp /etc/cloudera-scm-agent/config.ini hadoop13:/etc/cloudera-scm-agent/

2. 重启所有节点的agent服务

代码语言:javascript
复制
systemctl restart cloudera-scm-agent

3. 打开控制界面,在所有主机中可以检测到所有节点的心跳信号,说明配置成功

7

Cloudera Manager Server配置认证Agent证书

1. 在所有节点上,执行如下命令,导出各个节点证书的key和certificate,并创建软连接

代码语言:javascript
复制
sudo $JAVA_HOME/bin/keytool -importkeystore -srckeystore /opt/cloudera/security/pki/$(hostname -f).jks -destkeystore /opt/cloudera/security/pki/$(hostname -f)-key.p12 -deststoretype PKCS12 -srcalias $(hostname -f)
sudo openssl pkcs12 -in /opt/cloudera/security/pki/$(hostname -f)-key.p12 -nocerts -out /opt/cloudera/security/pki/$(hostname -f).key
sudo ln -s /opt/cloudera/security/pki/$(hostname -f).key /opt/cloudera/security/pki/agent.key

2. 在所有节点上创建/etc/cloudera-scm-agent/agentkey.pw,内容为证书密码,该案例中为changeit.

修改属主和权限

代码语言:javascript
复制
sudo chown root:root /etc/cloudera-scm-agent/agentkey.pw
sudo chmod 440 /etc/cloudera-scm-agent/agentkey.pw

3. 修改所有agent节点的/etc/cloudera-scm-agent/config.ini文件,也可在一台上修改完之后分发到其他agent节点上

在[Security]下添加如下配置

代码语言:javascript
复制
client_key_file=/opt/cloudera/security/pki/agent.key
client_keypw_file=/etc/cloudera-scm-agent/agentkey.pw
client_cert_file=/opt/cloudera/security/pki/agent.pem

分发到所有节点

代码语言:javascript
复制
scp /etc/cloudera-scm-agent/config.ini hadoop13:/etc/cloudera-scm-agent/

4. 打开CM的控制界面,选Administration下的Settings.

5. 点击“CATEGORY”中的“security”

6. 填写如下配置项

7. 点击“Save Changes”后重启server和所有的agent

代码语言:javascript
复制
systemctl restart cloudera-scm-server
systemctl restart cloudera-scm-agent

8. 打开所有主机,可检测到所有主机的心跳信号,说明配置成功

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2019-05-22,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 Hadoop实操 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
相关产品与服务
SSL 证书
腾讯云 SSL 证书(SSL Certificates)为您提供 SSL 证书的申请、管理、部署等服务,为您提供一站式 HTTPS 解决方案。
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档