PROVE IT !!If you know it then PROVE IT !! Skill Proficiency Test

Disable all SSL certificate and go back to the initial state

Home
> big data, cloudera, ssl > Disable all SSL certificate and go back to the initial state

Disable all SSL certificate and go back to the initial state

Disable all SSL certificate and go back to initial state.

1. All steps are done as ‘root’ user.

2. If you have passwordless ssh setup on all nodes you can run dcli on any node, otherwise run the dcli commands on Node 1.

3. When you get to the point of restaring the CM server, do that on Node (The node with CM role,Node 3 by default)

4. Make sure to run the regenerate script on Node 3.

1. On Node 1 Back up existing Security directory # dcli -C “cp -r -p /opt/cloudera/security /opt/cloudera/security.BAK_`date +%d%b%Y%H%M%S`”

2. Verify there is a backed up file:
# dcli -C ls -ltrd /opt/cloudera/security*

3. Executing script for renew default certificates:

*********Perform all steps as ‘root’ user on Node 3*****************

a) Download and copy the regenerate.sh script the node with Cloudera
Manager role, this is Node 3 by default.

You can download it to any directory. For example /tmp.

b) Give execute permissions to the script.

# chmod a+x /tmp/regenerate.sh

#########################################################################################################################
#Script should not be used for renewing User’s self-signed certificates. Scripts renews only BDA default certificates. #
#########################################################################################################################

#!/usr/bin/bash -x
export CMUSR=”admin”
if [[ -z $CMPWD ]]; then
export CMPWD=”$1″
if [[ -z $CMPWD ]]; then
echo “INFO: Since no CM password was given nothing can be done”
exit 0
fi
fi
key_loc=`bdacli getinfo cluster_https_keystore_path`
key_password=`bdacli getinfo cluster_https_keystore_password`
trust_password=`bdacli getinfo cluster_https_truststore_password`
trust_loc=`bdacli getinfo cluster_https_truststore_path`
firstnode=(`json-select –jpx=”MAMMOTH_NODE” /opt/oracle/bda/install/state/config.json`)
nodenames=(`json-select –jpx=”RACKS/NODE_NAMES” /opt/oracle/bda/install/state/config.json`)
for node in “${nodenames[@]}”
do
ssh $node “keytool -importkeystore -srckeystore $key_loc -destkeystore /tmp/nodetmp.p12 -deststoretype PKCS12 -srcalias $HOSTNAME -srcstorepass $key_password -srckeypass $key_password -destkeypass $key_password -deststorepass $key_password”
ssh $node “openssl pkcs12 -in /tmp/nodetmp.p12 -nodes -nocerts -out privateKey.pem -passin pass:$key_password -passout pass:$keystore”
ssh $node ‘openssl req -x509 -new -nodes -key privateKey.pem -sha256 -days 7300 -out newCert.pem -subj “/C=/ST=/L=/O=/CN=${HOSTNAME}”‘
ssh $node “keytool -import -keystore $key_loc -file newCert.pem -alias $HOSTNAME -storepass $key_password -keypass $key_password”
ssh $node “/usr/java/latest/bin/keytool -exportcert -keystore $key_loc -alias $HOSTNAME -storepass $key_password -file /opt/cloudera/security/jks/node.cert”
ssh $node “scp /opt/cloudera/security/jks/node.cert root@${firstnode}:/opt/cloudera/security/jks/node_${HOSTNAME}.cert”
ssh $node “rm -f /tmp/nodetmp.p12; rm -f privateKey.pem; rm -f newCert.pem; rm -f /opt/cloudera/security/x509/node.key; rm -f /opt/cloudera/security/x509/node.cert; rm -f /opt/cloudera/security/x509/node_*pem”
ssh $node “/usr/java/latest/bin/keytool -importkeystore -srckeystore $key_loc -srcstorepass $key_password -srckeypass $key_password -destkeystore /tmp/${HOSTNAME}-keystore.p12 -deststoretype PKCS12 -srcalias $HOSTNAME -deststorepass $key_password -destkeypass $key_password -noprompt”
ssh $node “openssl pkcs12 -in /tmp/${HOSTNAME}-keystore.p12 -passin pass:${key_password} -nokeys -out /opt/cloudera/security/x509/node.cert”
ssh $node “openssl pkcs12 -in /tmp/${HOSTNAME}-keystore.p12 -passin pass:${key_password} -nocerts -out /opt/cloudera/security/x509/node.key -passout pass:${key_password}”
ssh $node “openssl rsa -in /opt/cloudera/security/x509/node.key -passin pass:${key_password} -out /opt/cloudera/security/x509/node.hue.key”
ssh $node “chown hue /opt/cloudera/security/x509/node.key”
ssh $node “chown hue /opt/cloudera/security/x509/node.cert”
ssh $node “chown hue /opt/cloudera/security/x509/node.hue.key”
done

create=`ls /opt/cloudera/security/jks/ | grep “create”`
ssh $firstnode “rm -f $trust_loc”
ssh $firstnode ” /opt/cloudera/security/jks/./${create} $trust_password”
ssh $firstnode ” /opt/cloudera/security/x509/./create_hue.truststore.pl $trust_password”
ssh $firstnode “dcli -C -f $trust_loc -d $trust_loc”
ssh $firstnode “dcli -C -f /opt/cloudera/security/x509/hue.pem -d /opt/cloudera/security/x509/hue.pem”
rm -f /opt/cloudera/security/jks/cm_key.der
rm -f /opt/cloudera/security/x509/agents.pem
/usr/java/latest/bin/keytool -exportcert -keystore $key_loc -alias $HOSTNAME -storepass $key_password -file /opt/cloudera/security/jks/cm_key.der
openssl x509 -out /opt/cloudera/security/x509/agents.pem -in /opt/cloudera/security/jks/cm_key.der -inform der
scp /opt/cloudera/security/x509/agents.pem root@${firstnode}:/opt/cloudera/security/x509/agents.pem
ssh $firstnode dcli -C -f /opt/cloudera/security/x509/agents.pem -d /opt/cloudera/security/x509/agents.pem

c) Run the script providing the Cloudera Manager admin password as an argument to execute the script:

# ./regenerate.sh

d) Upload the output to the SR for review.

4. Once script execution is completed restart Cloudera Manager server
and agents.

a) Stop Cloudera Manager Agents.

# dcli -C service cloudera-scm-agent stop

b) Restart Cloudera Manager server (On Node 3)

# service cloudera-scm-server restart

c) Verify with:
# service cloudera-scm-server status

d) Start Cloudera Manager Agents.
# dcli -C service cloudera-scm-agent start

e) Verify with:
# dcli -C service cloudera-scm-agent status

5. Make sure there are no ssl warnings in the Cloudera Manager Server logs.

/var/log/cloudera-scm-server/cloudera-scm-server.log

You can also do:
tail -f /var/log/cloudera-scm-server/cloudera-scm-server.log

and then also upload the
/var/log/cloudera-scm-server/cloudera-scm-server.log to the SR for review.

6. In CM:
a) Restart Management services and once healthy.
b) Restart the Cluster services.

7. Certificate validity can be checked using keytool or openssl commands.

a) with keytool
# keytool -printcert -file /opt/cloudera/security/x509/agents.pem

b) with openssl:
echo | openssl s_client -connect :7183 2>/dev/null | openssl x509 -noout -subject -dates

Advertisements

Let’s block ads! (Why?)