在 hadoop1生成ca并拷贝至hadoop2,hadoop2。 (密码随便设置,大于6位即可。如adminadmin)
cd /etc/https openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj '/C=CN/ST=beijing/L=chaoyang/O=lecloud/OU=dt/CN=jenkin.com' scp hdfs_ca_key hdfs_ca_cert hadoop2:/etc/https/ scp hdfs_ca_key hdfs_ca_cert hadoop3:/etc/https/
在每一条机器上生成 keystore,和trustores
// 生成 keystore keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=${fqdn}, OU=DT, O=DT, L=CY, ST=BJ, C=CN" // 添加 CA 到 truststore keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert // 从 keystore 中导出 cert keytool -certreq -alias localhost -keystore keystore -file cert // 用 CA 对 cert 签名 openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial // 将 CA 的 cert 和用 CA 签名之后的 cert 导入 keystore keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert keytool -keystore keystore -alias localhost -import -file cert_signed
将最终keystore,trustores放入合适的目录,并机上后缀
cp keystore /etc/https/keystore.jks cp truststore /etc/https/truststore.jks
hdfs-site.xml
// datanode与namenode混合部署是,需要 HTTPS_ONLY
dfs.http.policy
HTTP_AND_HTTPS
配置ssl-client.xml
ssl.client.truststore.location
/etc/https/truststore.jks
Truststore to be used by clients like distcp. Must be specified.
ssl.client.truststore.password
adminadmin
Optional. Default value is "".
ssl.client.truststore.type
jks
Optional. The keystore file format, default value is "jks".
ssl.client.truststore.reload.interval
10000
Truststore reload check interval, in milliseconds. Default value is 10000 (10 seconds).
ssl.client.keystore.location
/etc/https/keystore.jks
Keystore to be used by clients like distcp. Must be specified.
ssl.client.keystore.password
adminadmin
Optional. Default value is "".
ssl.client.keystore.keypassword
adminadmin
Optional. Default value is "".
ssl.client.keystore.type
jks
Optional. The keystore file format, default value is "jks".
ssl-server.xml
ssl.server.truststore.location
/etc/https/truststore.jks
Truststore to be used by NN and DN. Must be specified.
ssl.server.truststore.password
adminadmin
Optional. Default value is "".
ssl.server.truststore.type
jks
Optional. The keystore file format, default value is "jks".
ssl.server.truststore.reload.interval
10000
Truststore reload check interval, in milliseconds. Default value is 10000 (10 seconds).
ssl.server.keystore.location
/etc/https/keystore.jks
Keystore to be used by NN and DN. Must be specified.
ssl.server.keystore.password
adminadmin
Must be specified.
ssl.server.keystore.keypassword
adminadmin
Must be specified.
ssl.server.keystore.type
jks
Optional. The keystore file format, default value is "jks".
转载于:https://www.cnblogs.com/kisf/p/7573561.html
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请联系我们举报,一经查实,本站将立刻删除。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/221488.html原文链接:https://javaforall.net
