0638-6.1.0-Cloudera Manager配置TLS
0638-6.1.0-Cloudera Manager配置TLS
Fayson
发布于 2019-05-23 15:44:55
发布于 2019-05-23 15:44:55
文章被收录于专栏:Hadoop实操
作者:李继武
1
文档编写目的
本文档主要介绍如何为已经安装好的CDH集群配置Cloudera Manager启用TLS。
- 主要内容
1. Certificate Authority搭建
2. 创建节点证书
3. 配置Cloudera Manager Console使用TLS协议
4. Cloudera Manager Agents配置TLS
5. 配置Cloudera Manager Agents认证Server证书
6. 配置Cloudera Manager Server认证Agent证书
- 环境介绍
1. CDH6.1.0
2. RedHat7.2
2
Certificate Authority搭建
由于CDH集群大部分都是在内网当中,无法用到PUBLIC CA,因此需要搭建内网CA,这里使用OpenSSL Certificate Authority。
2.1
Root CA
1. 创建文件夹存放keys和certificates
mkdir /root/ca
2. 在该目录下创建根CA的目录结构
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
3. 准备配置文件/root/ca/openssl.cnf,内容如下:
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server,client
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning4. 创建root key
cd /root/ca
openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem
5. 创建root certificate
cd /root/ca
openssl req -config openssl.cnf \
-key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem
6. 验证root certificate
openssl x509 -noout -text -in certs/ca.cert.pem
2.2
Intermediate CA
1. 在根CA目录下创建一个intermediate目录用于存放Intermediate CA的文件
mkdir /root/ca/intermediate
2. 创建Intermediate CA目录结构
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > /root/ca/intermediate/crlnumber
3. 准备配置文件/root/ca/intermediate/openssl.cnf,内容如下:
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server,client
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning4. 创建 intermediate key
cd /root/ca
openssl genrsa -aes256 \
-out intermediate/private/intermediate.key.pem 4096
chmod 400 intermediate/private/intermediate.key.pem
5. 创建intermediate certificate signing request(CSR)
cd /root/ca
openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/intermediate.key.pem \
-out intermediate/csr/intermediate.csr.pem
chmod 400 intermediate/private/intermediate.key.pem
6. 生成intermediate certificate
cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in intermediate/csr/intermediate.csr.pem \
-out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem
7. 像验证root certificate一样验证intermediate certificate
openssl x509 -noout -text \
-in intermediate/certs/intermediate.cert.pem
8. 依据root certificate验证intermediate certificate,验证通过返回OK。
openssl verify -CAfile certs/ca.cert.pem \
intermediate/certs/intermediate.cert.pem
9. 创建certificate chain file
cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem
3
创建节点证书
以下操作在集群所有节点都需要操作
1. 配置JAVA_HOME环境变量
export JAVA_HOME=/usr/java/jdk1.8.0_141-cloudera
export PATH=$PATH:$JAVA_HOME/bin
2. 创建目录存放证书
mkdir -p /opt/cloudera/security/pki
3. 生成 Java keystore
$JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=dev,O=macro,L=sz,ST=gd,C=zh" -ext san=dns:$(hostname -f)
4. 根据java keystore生成certificate signing request(CSR)
$JAVA_HOME/bin/keytool -certreq -alias $(hostname -f) -keystore /opt/cloudera/security/pki/$(hostname -f).jks -file /opt/cloudera/security/pki/$(hostname -f).csr -ext san=dns:$(hostname -f) -ext EKU=serverAuth,clientAuth
5. 将各节点生成的/opt/cloudera/security/pki/$(hostname -f).csr发送到自搭建的CA服务器上
scp /opt/cloudera/security/pki/$(hostname -f).csr hadoop12:/root/ca/intermediate/csr
6. 根据如下步骤在CA服务器上依次为每一个节点的CSR生成certificate
修改/root/ca/intermediate/openssl.cnf,在[ server_cert ]下添加subjectAltName=DNS:{对应的节点域名},比如
使用如下命令为该节点生成certificate
openssl ca -config /root/ca/intermediate/openssl.cnf \
-extensions server_cert \
-days 3000 \
-notext \
-in /root/ca/intermediate/csr/hadoop12.csr \
-out /root/ca/intermediate/certs/hadoop12.pem
依次生成其余节点的certificate
7. 将certificate发送回对应的节点的/opt/cloudera/security/pki目录下
scp /root/ca/intermediate/certs/hadoop12.pem hadoop12:/opt/cloudera/security/pki/
8. 验证每一个节点上的证书
openssl x509 -in /opt/cloudera/security/pki/$(hostname -f).pem -noout -text在结果中需要有如下内容:
9. 拷贝root 和intermediate CA certificates到所有节点的/opt/cloudera/security/pki目录下,并重命名为rootca.pem和intca.pem
scp /root/ca/certs/ca.cert.pem hadoop12:/opt/cloudera/security/pki/rootca.pem
scp /root/ca/intermediate/certs/intermediate.cert.pem hadoop13:/opt/cloudera/security/pki/intca.pem
10. 执行如下的命令将JDK的cacerts文件拷贝到jssecacerts
cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts
11. 将root CA certificate导入到jssecacerts当中
sudo $JAVA_HOME/bin/keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts -file /opt/cloudera/security/pki/rootca.pem
12. 将intermediate CA certificate添加到各节点的节点证书中,并将其导入到java keystore中
sudo cat /opt/cloudera/security/pki/intca.pem >> /opt/cloudera/security/pki/$(hostname -f).pem
sudo $JAVA_HOME/bin/keytool -importcert -alias $(hostname -f) -file /opt/cloudera/security/pki/$(hostname -f).pem -keystore /opt/cloudera/security/pki/$(hostname -f).jks
13. 创建软连接
ln -s /opt/cloudera/security/pki/$(hostname -f).pem /opt/cloudera/security/pki/agent.pem
14. 在Cloudera Manager Server节点上,创建如下软连接
ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/server.jks4
配置Cloudera Manager Console使用TLS协议
1. 打开CM的控制界面,选Administration下的Settings.
2. 点击“CATEGORY”中的“security”
3. 填写如下选项
点击“Save Changes”保存
4. 打开Cloudera Manager Service,点击“configuration”,在SCOPE中选择“Cloudera Management Service”
5. 再点击“Category”中的“>Security”
6. 填写如下配置项
点击“Save Changes”保存
7. 重启cloudera-scm-server
systemctl restart cloudera-scm-server重新登录后,可发现CM控制界面的地址端口更改为7183,使用https协议传输,选择信任证书后登录
输入账户名密码admin/admin
登录:
8. 重启Cloudera Manager Service
5
Cloudera Manager Agents配置TLS
1. 打开CM的控制界面,选Administration下的Settings.
2. 点击“CATEGORY”中的“security”
3. 勾选“Use TLS Encryption for Agents”,点击“Save Changes”保存
4. 修改所有agent节点的/etc/cloudera-scm-agent/config.ini文件,也可在一台上修改完之后分发到其他agent节点上
修改server_host为server的主机名,而不用IP
设置[Security]下的use_tls为1
分发到其他agent节点
scp /etc/cloudera-scm-agent/config.ini hadoop13:/etc/cloudera-scm-agent/
5. 重启server和所有的agent服务
systemctl restart cloudera-scm-server
systemctl restart cloudera-scm-agent6. 打开控制界面,在所有主机中可以检测到所有节点的心跳信号,说明配置成功
6
Cloudera Manager Agents配置认证Server证书
1. 修改所有agent节点的/etc/cloudera-scm-agent/config.ini文件,也可在一台上修改完之后分发到其他agent节点上
在[Security]下添加如下配置
verify_cert_file=/opt/cloudera/security/pki/rootca.pem分发到所有节点
scp /etc/cloudera-scm-agent/config.ini hadoop13:/etc/cloudera-scm-agent/
2. 重启所有节点的agent服务
systemctl restart cloudera-scm-agent3. 打开控制界面,在所有主机中可以检测到所有节点的心跳信号,说明配置成功
7
Cloudera Manager Server配置认证Agent证书
1. 在所有节点上,执行如下命令,导出各个节点证书的key和certificate,并创建软连接
sudo $JAVA_HOME/bin/keytool -importkeystore -srckeystore /opt/cloudera/security/pki/$(hostname -f).jks -destkeystore /opt/cloudera/security/pki/$(hostname -f)-key.p12 -deststoretype PKCS12 -srcalias $(hostname -f)
sudo openssl pkcs12 -in /opt/cloudera/security/pki/$(hostname -f)-key.p12 -nocerts -out /opt/cloudera/security/pki/$(hostname -f).key
sudo ln -s /opt/cloudera/security/pki/$(hostname -f).key /opt/cloudera/security/pki/agent.key
2. 在所有节点上创建/etc/cloudera-scm-agent/agentkey.pw,内容为证书密码,该案例中为changeit.
修改属主和权限
sudo chown root:root /etc/cloudera-scm-agent/agentkey.pw
sudo chmod 440 /etc/cloudera-scm-agent/agentkey.pw
3. 修改所有agent节点的/etc/cloudera-scm-agent/config.ini文件,也可在一台上修改完之后分发到其他agent节点上
在[Security]下添加如下配置
client_key_file=/opt/cloudera/security/pki/agent.key
client_keypw_file=/etc/cloudera-scm-agent/agentkey.pw
client_cert_file=/opt/cloudera/security/pki/agent.pem
分发到所有节点
scp /etc/cloudera-scm-agent/config.ini hadoop13:/etc/cloudera-scm-agent/
4. 打开CM的控制界面,选Administration下的Settings.
5. 点击“CATEGORY”中的“security”
6. 填写如下配置项
7. 点击“Save Changes”后重启server和所有的agent
systemctl restart cloudera-scm-server
systemctl restart cloudera-scm-agent8. 打开所有主机,可检测到所有主机的心跳信号,说明配置成功
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2019-05-22,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
