manageSSLKeys.sh

Use the manageSSLKeys.sh utility to create and manage SSL certificates.

Syntax

# /opt/mapr/server/manageSSLKeys.sh
manageSSLKeys.sh is a tool to create and manage the SSL certificates. It is run once on the first node from configure.sh
Usage: manageSSLKeys and one of
       create [-d DNSDOMAIN] [-N clustername] [-p password] -ug <maprUserGroup>
              creates the SSL key and trust stores needed for HTTPS traffic
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -N clustername
              -p password or file containing password
              -ug MapR user/group, e.g., mapr:mapr
       merge <in trust store> <out trust store> [inPasswordFile (needed to override default password)]
             merges the certificates from the in trust store into the existing out trust store
       copytruststore <outputFile> [password (needed to override default password)]
       copywithconfiguredpassword <srcStore> <destStore> <srcPassword>
       createrandompassword [oldPassword (needed to override default password)]
       createusercerts [-p password] [-N <clustername> ] [-d DNSDOMAIN ] -ug <maprUserGroup>
              -N <clustername>
              -d specifies DNS domain used in wildcard certificate. Default
                 is detected from Local OS
              -p password or file containing password
              -ug MapR user/group, e.g., mapr:mapr
       convert [-N <clustername> ] [-k] [-n] [-p <passwd>] [-srcType JKS|pkcs12] [-dstType JKS|pkcs12] <in key/trust store> <out key/trust store>
              converts an existing key/trust store into a new PEM type key/trust store
              if srcType and dstType are not specified, it is assumed that you are
              converting from JKS to PEM(via pkcs12)
              -N <clustername>
              -a denotes the certificate alias you want to convert
              -k denotes you are converting a keystore
              -p <passwd> store password - needed if you are converting custom stores
              -srcType JKS|pkcs12 denotes the source format of the store
              -dstType JKS|pkcs12 denotes the destination format of the store

Operations

manageSSLKeys.sh performs the following operations:

create

Description: Creates the SSL key and trust stores needed for HTTPS traffic.

Format:

create [-d DNSDOMAIN] [-N clustername] [-p password] -ug
                <maprUserGroup>

Parameters:

d: DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
N: Name of the cluster.
p: Password to use for the SSL key.
ug: User:Group to use for the key. For example: mapr:mapr.

merge

Description: Merges the SSL certificates from the in trust store into the existing out trust store.

Format:

merge <in trust store> <out trust store>
                [inPasswordFile]

Parameters:

in trust store: Source trust store from which to obtain the SSL certificates.
out trust store: Destination trust store to merge the SSL certificates.
inPasswordFile: File containing the password for the source trust store.

copytruststore

Description: Makes a copy of the existing trust store on the node on which this command is run.

Format: copytruststore <outputFile> [password]

Parameters:

outputFile: The file in which to store the copy of the trust store.
password: The password of the trust store being copied.

copywithconfiguredpassword

Description: Copies the source trust store to the destination trust store and secures the destination with the existing destination trust store password.

Format:

copywithconfiguredpassword <srcStore> <destStore>
                <srcPassword>

Parameters:

srcStore: Source trust store to copy.
destStore: Destination trust store.
srcPassword: The password of the source trust store.

createusercerts

Description: Creates SSL user certificates.

Format:

createusercerts [-p password] [-N <clustername> ] [-d
                DNSDOMAIN ] -ug <maprUserGroup>

Parameters:

p: Password to use for the SSL user certificate.
N: Name of the cluster.
d: DNS domain used for the wildcard certificate. The default domain is detected from the Local OS.
ug: User:Group to use for the certificate. For example: mapr:mapr.

convert

Description: Converts an existing key/trust store into a new PEM type key/trust store. If you do not specify the type of the source and the destination key/trust store, it is assumed that you are converting from JKS to PEM (via pkcs12).

Format:

convert [-N <clustername> ] [-k] [-n] [-p <passwd>]
                [-srcType JKS|pkcs12] [-dstType JKS|pkcs12] <in key/trust store> <out
                key/trust store>

Parameters:

N: Cluster name.
a: Certificate alias to convert.
k: Indicates that a keystore is being converted.
p: Password of the existing key/trust store.
srcType: Format of the source key/trust store - either JKS or pkcs12.
dstType: Format of the destination key/trust store - either JKS or pkcs12.
in key/trust store: The existing key/trust store to convert.
out key/trust store: The name to use for the converted key/trust store.

Examples

The following links demonstrate using the manageSSLKeys.sh utility.

Copy trust store: Enabling Security
Regenerate trust store password: Enabling Security
Merge trust store: Configuring Secure Clusters for Running Commands Remotely
Generate trust store and key store files: Step 1: Restart and Check Cluster Services and Configuring Encryption for ODBC Connection
Convert type of keystore file: Upgrading the Data Access Gateway