隶属于文章系列:大数据安全实战
https://www.jianshu.com/p/76627fd8399c
步骤:
- 在CA服务器上创建证书
- 在CA客户端导入证书
- 修改hdfs的hdfs-site.xml
- 配置hdfs的ssl配置文件
- 在CA服务器上
在部署成功了才发现CA服务器上并不是要运行什么服务。随便选一台就行。
openssl req -new -x509 -keyout /var/opt/ssl/CA/private/test_ca_key -out /var/opt/ssl/CA/private/test_ca_cert -days 9999 -subj '/C=CN/ST=zhejiang/L=hangzhou/O=dtdream/OU=security/CN=zelda.com'
Generating a 2048 bit RSA private key
.....................................................+++
...................................................................................................+++
writing new private key to '/etc/pki/CA/private/test_ca_key'
#1234
Enter PEM pass phrase:
#1234
Verifying - Enter PEM pass phrase:
-----
查看效果
[root@v-app2-cloud kduser]# ll /etc/pki/CA/private/
total 8
-rw-r--r-- 1 root root 1383 Mar 12 16:37 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 12 16:37 test_ca_key
[root@v-app2-cloud kduser]#
- 分布创建的证书到各个客户单
[hadoop@vm10-247-24-53 hadoop]$ ansible hadoop --become -m copy -a "src=/var/opt/ssl dest=/var/opt/"
10.247.24.54 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.28 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.49 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.63 | SUCCESS => {
"changed": true,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
10.247.24.53 | SUCCESS => {
"changed": false,
"dest": "/var/opt/",
"failed": false,
"src": "/var/opt/ssl"
}
[hadoop@vm10-247-24-53 hadoop]$ ansible hadoop -m shell -a "ls -l /var/opt/ssl/CA/private"
10.247.24.54 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:58 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:58 test_ca_key
10.247.24.28 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:56 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:56 test_ca_key
10.247.24.49 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:58 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:58 test_ca_key
10.247.24.63 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:59 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:59 test_ca_key
10.247.24.53 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:54 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:54 test_ca_key
- 在各个客户端的节点上执行如下:
# 进入证书分发的目录
cd /var/opt/ssl/CA/private/ ;
keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=vm10-247-24-53.ksc.com, OU=test, O=test, L=hangzhou, ST=zhejiang, C=cn"
keytool -keystore truststore -alias CARoot -import -file test_ca_cert;
keytool -certreq -alias localhost -keystore keystore -file cert;
openssl x509 -req -CA test_ca_cert -CAkey test_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial;
keytool -keystore keystore -alias CARoot -import -file test_ca_cert ;
keytool -keystore keystore -alias localhost -import -file cert_signed ;
注意keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=vm10-247-24-53.ksc.com, OU=test, O=test, L=hangzhou, ST=zhejiang, C=cn" 中的CN=vm10-247-24-53.ksc.com替换为各自的主机名
- 检验客户端证书
123456为上一步设置的密码。
keytool -list -v -keystore /var/opt/ssl/CA/private/keystore -storepass 123456
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: caroot
Creation date: Mar 13, 2018
Entry type: trustedCertEntry
Owner: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Issuer: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Serial number: 9edcd7d2ea0b191e
Valid from: Mon Mar 12 16:56:18 CST 2018 until: Thu Jul 27 16:56:18 CST 2045
Certificate fingerprints:
MD5: 6E:99:F2:B8:87:44:A1:2F:BD:48:05:1A:BC:42:00:2F
SHA1: A1:67:DC:78:60:E0:AE:72:58:12:29:61:17:9F:D7:C4:88:F1:BD:62
SHA256: 50:F2:2B:99:92:33:6B:D5:34:C1:51:BD:6B:CB:1C:72:A8:18:70:66:21:41:D1:E1:F5:24:71:87:B5:35:63:15
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29 49 BF 36 4B 02 60 E7 23 .\.....)I.6K.`.#
0010: BC 38 A0 BA .8..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29 49 BF 36 4B 02 60 E7 23 .\.....)I.6K.`.#
0010: BC 38 A0 BA .8..
]
]
*******************************************
*******************************************
Alias name: localhost
Creation date: Mar 13, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=v-hadoop-kbds.sz.kingdee.net, OU=test, O=test, L=hangzhou, ST=zhejiang, C=cn
Issuer: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Serial number: ac53b1f8fbaf29ba
Valid from: Tue Mar 13 10:47:18 CST 2018 until: Fri Jul 28 10:47:18 CST 2045
Certificate fingerprints:
MD5: 4D:35:81:68:07:27:A1:5E:A6:0D:C3:BE:13:BC:B5:BF
SHA1: 0F:3F:FF:3C:CA:64:43:40:EA:2A:6C:79:85:8C:BB:BB:27:46:57:9E
SHA256: 8B:D6:36:4F:A1:83:C9:79:C4:A2:DA:3D:A3:6D:87:1A:18:E8:E8:80:3B:AC:D3:00:0D:25:31:CD:7B:DC:14:80
Signature algorithm name: SHA256withRSA
Version: 1
Certificate[2]:
Owner: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Issuer: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Serial number: 9edcd7d2ea0b191e
Valid from: Mon Mar 12 16:56:18 CST 2018 until: Thu Jul 27 16:56:18 CST 2045
Certificate fingerprints:
MD5: 6E:99:F2:B8:87:44:A1:2F:BD:48:05:1A:BC:42:00:2F
SHA1: A1:67:DC:78:60:E0:AE:72:58:12:29:61:17:9F:D7:C4:88:F1:BD:62
SHA256: 50:F2:2B:99:92:33:6B:D5:34:C1:51:BD:6B:CB:1C:72:A8:18:70:66:21:41:D1:E1:F5:24:71:87:B5:35:63:15
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29 49 BF 36 4B 02 60 E7 23 .\.....)I.6K.`.#
0010: BC 38 A0 BA .8..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29 49 BF 36 4B 02 60 E7 23 .\.....)I.6K.`.#
0010: BC 38 A0 BA .8..
]
]
*******************************************
*******************************************
- 在hdfs-site.xml 中修改配置:
dfs.datanode.address
0.0.0.0:61004
dfs.datanode.http.address
0.0.0.0:61006
dfs.http.policy
HTTPS_ONLY
dfs.http.policy必须为:HTTPS_ONLY
- 修改etc/hadoop下的ssl-client.xml
ssl.client.truststore.location
/var/opt/ssl/CA/private/truststore
Truststore to be used by clients like distcp. Must be
specified.
ssl.client.truststore.password
123456
Optional. Default value is "".
ssl.client.truststore.type
jks
Optional. The keystore file format, default value is "jks".
ssl.client.truststore.reload.interval
10000
Truststore reload check interval, in milliseconds.
Default value is 10000 (10 seconds).
ssl.client.keystore.location
/var/opt/ssl/CA/private/truststore/keystore
Keystore to be used by clients like distcp. Must be
specified.
ssl.client.keystore.password
123456
Optional. Default value is "".
ssl.client.keystore.keypassword
123456>
Optional. Default value is "".
ssl.client.keystore.type
jks
Optional. The keystore file format, default value is "jks".
- 修改etc/hadoop下的ssl-server.xml
ssl.server.truststore.location
/var/opt/ssl/CA/private/truststore
Truststore to be used by NN and DN. Must be specified.
ssl.server.truststore.password
123456
Optional. Default value is "".
ssl.server.truststore.type
jks
Optional. The keystore file format, default value is "jks".
ssl.server.truststore.reload.interval
10000
Truststore reload check interval, in milliseconds.
Default value is 10000 (10 seconds).
ssl.server.keystore.location
/var/opt/ssl/CA/private/keystore
Keystore to be used by NN and DN. Must be specified.
ssl.server.keystore.password
123456
Must be specified.
ssl.server.keystore.keypassword
123456
Must be specified.
ssl.server.keystore.type
jks
Optional. The keystore file format, default value is "jks".
ssl.server.exclude.cipher.list
TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5
Optional. The weak security cipher suites that you want excluded
from SSL communication.