Enable Wire-Level Security
About this task
Procedure
- If the cluster is running, shut it down.
-
Run the
configure.sh
script with the-secure -genkeys
options on the first CLDB node in your cluster:/opt/mapr/server/configure.sh -secure -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list>
where both<Zookeeper_node_list>
and<CLDB_node_list>
have the formhostname[:port_no][,hostname[:port_no]...]
WARNING: You must runThis command generates four files in theconfigure.sh -genkeys
once on one CLDB node, since the resulting files must be copied to other nodes./opt/mapr/conf
directory:cldb.key
maprserverticket
ssl_keystore
ssl_truststore
-
Copy the
cldb.key
file to any node that has the CLDB or Zookeeper service installed. -
Copy the
maprserverticket
,ssl_keystore
, andssl_truststore
files to the/opt/mapr/conf
directory of every node in the cluster. -
Verify that the files from the previous step are owned by the user that runs
cluster services. This user is
mapr
by default. Also, themaprserverticket
andssl_keystore
files must have their UNIX permission-mode bits set to600
, and thessl_truststore
file must be readable to all users. -
Run
configure.sh -secure
on each existing node in the cluster. The-secure
option indicates that the node is secure.WARNING: You must also do this on any nodes that you add to the cluster in the future. -
Copy the
ssl_truststore
file to any client nodes outside the cluster.WARNING: If you runconfigure.sh -secure
on a node before you copy the necessary files to that node, the command fails. -
Log in as the mapr superuser using the maprlogin command:
maprlogin password
(in this command,password
is literal text). -
Run the
hadoop mfs -setnetworkencryption on <object>
command for every table, file, and directory object in MapR-FS whose traffic you wish to encrypt.WARNING: The network encryption setting is inherited by new objects. Once encryption is turned on for a directory, all new directories, files, and tables created under that directory are automatically encrypted. -
If clients will connect to multiple secure clusters, merge the
ssl_truststore
files with the/opt/mapr/server/manageSSLKeys.sh
tool. See Setting Up the Client for more information on MapR clients.