No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the CA Certificate

Configuring the CA Certificate

Scenario

The FusionInsight HD CA certificate is used for data encryption during the communication between the client and the server of a component to ensure communication security. Replace the CA certificate on FusionInsight Manager to ensure product security. This operation is applicable to the following scenarios:

  • After the cluster is installed for the first time, you need to import an enterprise certificate.
  • If the enterprise certificate has expired or security hardening is required, you need to replace it with a new certificate.

After the CA certificate is replaced, the certificates that are used by HDFS, Yarn, Mapreduce, HBase, Loader, Hue, FTP-Server, Metadata, Oozie, Storm, Hive, Tomcat, CAS, httpd, and LDAP in FusionInsight HD will be automatically updated.

The certificate file and key file can be applied for from the enterprise certificate administrator or generated by the system administrator.

NOTE:
  • Only CA certificates that can be issued and in X.509 format can be imported in FusionInsight.
  • FusionInsight requires that the OS encoding format be en_US.UTF-8 or POSIX. Otherwise, the certificate function will be abnormal.

Impact on the System

The FusionInsight HD system must be restarted during the replacement and cannot be accessed or provide services.

Prerequisites

  • Obtain the files to be imported to the FusionInsight HD cluster, including the CA certificate file (such as *.crt), key file (*.key), and file (password.property) that saves the key file password. The certificate name and key name support uppercase letters, lowercase letters, and digits.
  • Prepare a password for accessing the key file, for example, Userpwd@123.

    The password must meet the following complexity requirements. If the password complexity does not meet the following requirements, potential security risks may exist:

    • The password contains at least 8 characters.
    • The password must contain at least four types of the following: uppercase letters, lowercase letters, digits, and special characters ~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=.
  • When applying for a certificate from the certificate administrator, provide the password for accessing the key file and apply for the certificate files in the .crt, .cer, .cert, or .pem format and the key files in the .key or .pem format. The applied certificates must have the issuing function.

Procedure

  1. Use PuTTY to log in to any management node in the cluster as user omm.
  2. Select the certificate file and key file generation mode:

    • If the certificate is generated by the certificate administrator, save the certificate file and key file to the omm user directory on the management node.
      NOTE:

      If the obtained certificate file format is not .crt and the key file format is not *.key, run the following commands to change the file names:

      mv certificate name.certificate format certificate name.crt

      mv key name.key format key name.key

      For example, run the following command to name the certificate file ca.crt and name the key file ca.key:

      mv server.cer ca.crt

      mv server_key.pem ca.key

    • If the certificate is generated by the system administrator, run the following command to generate the certificate file and key file in the omm user directory on the management node:
      1. Generate the key file:

        openssl genrsa -out key name.key -aes256 2048 -sha256

        For example, run the following command to generate key file ca.key: openssl genrsa -out ca.key -aes256 2048 -sha256

        Enter the password twice as prompted, and press Enter.

        Enter pass phrase for ca.key:
        Verifying - Enter pass phrase for ca.key:
      2. Generate the certificate file:

        openssl req -new -x509 -days 36135 -key key name.key -out certificate name.crt -subj "/C=cn/ST=guangdong/L=shenzhen/O=huawei/OU=huawei/CN=huawei" -sha256

        For example, run the following command to generate certificate file ca.crt: openssl req -new -x509 -days 36135 -key ca.key -out ca.crt -subj "/C=cn/ST=guangdong/L=shenzhen/O=huawei/OU=huawei/CN=huawei" -sha256

        Enter the password for the key file as prompted, and press Enter.

        Enter pass phrase for ca.key:

  3. Run the following command in the omm user directory on the management node to save the password for accessing the key file:

    sh ${BIGDATA_HOME}/om-server/om/sbin/genPwFile.sh

    Enter the password twice as prompted, and press Enter. After being encrypted, the password is saved in password.property.

    Please input key password: 
    Please Confirm password:
    NOTE:

    The password.property file that is generated on a node is applicable only in the cluster to which the current node belongs.

  4. Compress the three files in the .tar format and save them to the local computer.

    tar -cvf package name certificate name.crt key name.key password.property

    For example, tar -cvf test.tar ca.crt ca.key password.property

  5. Log in to the FusionInsight Manager system, click System > Certificate.
  6. In the Upload Certificate area, click file selecting button. In the window for selecting files, select the obtained .tar certificate file packages and open them, click Upload. The system automatically imports the certificate.
  7. After the certificate is imported, click OK to restart FusionInsight HD for the certificate to take effect.
  8. In the displayed window, enter the password and click OK to automatically synchronize cluster configuration and restart WEB server.
  9. In the address box of your browser, enter the FusionInsight Manager network address to verify that the page can be opened successfully after FusionInsight Manager restarts.

    NOTE:

    The enterprise certificate has expired or security is hardened. After replacing the FusionInsight HD certificate, replace the local certificate as well. For details, see Installing the Public Key Certificate of the Cluster.

  10. On FusionInsight Manager, Choose Homepage > More > Restart to restart the cluster.
Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6088

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next