在 hadoop1生成ca并拷贝至hadoop2,hadoop2。 (密码随便设置,大于6位即可。如adminadmin)
cd /etc/https openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj '/C=CN/ST=beijing/L=chaoyang/O=lecloud/OU=dt/CN=jenkin.com' scp hdfs_ca_key hdfs_ca_cert hadoop2:/etc/https/ scp hdfs_ca_key hdfs_ca_cert hadoop3:/etc/https/
在每一条机器上生成 keystore,和trustores
// 生成 keystore
keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=${fqdn}, OU=DT, O=DT, L=CY, ST=BJ, C=CN"
// 添加 CA 到 truststore
keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert
// 从 keystore 中导出 cert
keytool -certreq -alias localhost -keystore keystore -file cert
// 用 CA 对 cert 签名
openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial
// 将 CA 的 cert 和用 CA 签名之后的 cert 导入 keystore
keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert
keytool -keystore keystore -alias localhost -import -file cert_signed
将最终keystore,trustores放入合适的目录,并机上后缀
cp keystore /etc/https/keystore.jks cp truststore /etc/https/truststore.jks
hdfs-site.xml
// datanode与namenode混合部署是,需要 HTTPS_ONLY
<property>
<name>dfs.http.policy</name>
<value>HTTP_AND_HTTPS</value> <!-- namenode configure -->
<!-- <value>HTTPS_ONLY</value> --><!-- datanode configure -->
</property>
配置ssl-client.xml
<configuration> <property> <name>ssl.client.truststore.location</name> <value>/etc/https/truststore.jks</value> <description>Truststore to be used by clients like distcp. Must be specified. </description> </property> <property> <name>ssl.client.truststore.password</name> <value>adminadmin</value> <description>Optional. Default value is "". </description> </property> <property> <name>ssl.client.truststore.type</name> <value>jks</value> <description>Optional. The keystore file format, default value is "jks". </description> </property> <property> <name>ssl.client.truststore.reload.interval</name> <value>10000</value> <description>Truststore reload check interval, in milliseconds. Default value is 10000 (10 seconds). </description> </property> <property> <name>ssl.client.keystore.location</name> <value>/etc/https/keystore.jks</value> <description>Keystore to be used by clients like distcp. Must be specified. </description> </property> <property> <name>ssl.client.keystore.password</name> <value>adminadmin</value> <description>Optional. Default value is "". </description> </property> <property> <name>ssl.client.keystore.keypassword</name> <value>adminadmin</value> <description>Optional. Default value is "". </description> </property> <property> <name>ssl.client.keystore.type</name> <value>jks</value> <description>Optional. The keystore file format, default value is "jks". </description> </property> </configuration>
ssl-server.xml
<configuration> <property> <name>ssl.server.truststore.location</name> <value>/etc/https/truststore.jks</value> <description>Truststore to be used by NN and DN. Must be specified. </description> </property> <property> <name>ssl.server.truststore.password</name> <value>adminadmin</value> <description>Optional. Default value is "". </description> </property> <property> <name>ssl.server.truststore.type</name> <value>jks</value> <description>Optional. The keystore file format, default value is "jks". </description> </property> <property> <name>ssl.server.truststore.reload.interval</name> <value>10000</value> <description>Truststore reload check interval, in milliseconds. Default value is 10000 (10 seconds). </description> </property> <property> <name>ssl.server.keystore.location</name> <value>/etc/https/keystore.jks</value> <description>Keystore to be used by NN and DN. Must be specified. </description> </property> <property> <name>ssl.server.keystore.password</name> <value>adminadmin</value> <description>Must be specified. </description> </property> <property> <name>ssl.server.keystore.keypassword</name> <value>adminadmin</value> <description>Must be specified. </description> </property> <property> <name>ssl.server.keystore.type</name> <value>jks</value> <description>Optional. The keystore file format, default value is "jks". </description> </property> </configuration>