hadoop https配置

cd /etc/httpsopenssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj ‘/C=CN/ST=beijing/L=chaoyang/O=lecloud/OU=dt/CN=jenkin.com‘scp hdfs_ca_key ?hdfs_ca_cert hadoop2:/etc/https/scp hdfs_ca_key ?hdfs_ca_cert hadoop3:/etc/https/

// 生成 keystorekeytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=${fqdn}, OU=DT, O=DT, L=CY, ST=BJ, C=CN"// 添加 CA 到 truststorekeytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert// 从 keystore 中导出 certkeytool -certreq -alias localhost -keystore keystore -file cert// 用 CA 对 cert 签名openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial// 将 CA 的 cert 和用 CA 签名之后的 cert 导入 keystorekeytool -keystore keystore -alias CARoot -import -file hdfs_ca_certkeytool -keystore keystore -alias localhost -import -file cert_signed

 cp keystore /etc/https/keystore.jkscp truststore /etc/https/truststore.jks

// datanode与namenode混合部署是，需要 HTTPS_ONLY <property> ???????????????<name>dfs.http.policy</name> ???????????????<value>HTTP_AND_HTTPS</value> <!-- namenode configure --> ???????????????<!-- <value>HTTPS_ONLY</value> --><!-- datanode configure --></property>

<configuration><property> ?<name>ssl.client.truststore.location</name> ?<value>/etc/https/truststore.jks</value> ?<description>Truststore to be used by clients like distcp. Must be ?specified. ?</description></property><property> ?<name>ssl.client.truststore.password</name> ?<value>adminadmin</value> ?<description>Optional. Default value is "". ?</description></property><property> ?<name>ssl.client.truststore.type</name> ?<value>jks</value> ?<description>Optional. The keystore file format, default value is "jks". ?</description></property><property> ?<name>ssl.client.truststore.reload.interval</name> ?<value>10000</value> ?<description>Truststore reload check interval, in milliseconds. ?Default value is 10000 (10 seconds). ?</description></property><property> ?<name>ssl.client.keystore.location</name> ?<value>/etc/https/keystore.jks</value> ?<description>Keystore to be used by clients like distcp. Must be ?specified. ?</description></property><property> ?<name>ssl.client.keystore.password</name> ?<value>adminadmin</value> ?<description>Optional. Default value is "". ?</description></property><property> ?<name>ssl.client.keystore.keypassword</name> ?<value>adminadmin</value> ?<description>Optional. Default value is "". ?</description></property><property> ?<name>ssl.client.keystore.type</name> ?<value>jks</value> ?<description>Optional. The keystore file format, default value is "jks". ?</description></property></configuration>

<configuration><property> ?<name>ssl.server.truststore.location</name> ?<value>/etc/https/truststore.jks</value> ?<description>Truststore to be used by NN and DN. Must be specified. ?</description></property><property> ?<name>ssl.server.truststore.password</name> ?<value>adminadmin</value> ?<description>Optional. Default value is "". ?</description></property><property> ?<name>ssl.server.truststore.type</name> ?<value>jks</value> ?<description>Optional. The keystore file format, default value is "jks". ?</description></property><property> ?<name>ssl.server.truststore.reload.interval</name> ?<value>10000</value> ?<description>Truststore reload check interval, in milliseconds. ?Default value is 10000 (10 seconds). ?</description></property><property> ?<name>ssl.server.keystore.location</name> ?<value>/etc/https/keystore.jks</value> ?<description>Keystore to be used by NN and DN. Must be specified. ?</description></property><property> ?<name>ssl.server.keystore.password</name> ?<value>adminadmin</value> ?<description>Must be specified. ?</description></property><property> ?<name>ssl.server.keystore.keypassword</name> ?<value>adminadmin</value> ?<description>Must be specified. ?</description></property><property> ?<name>ssl.server.keystore.type</name> ?<value>jks</value> ?<description>Optional. The keystore file format, default value is "jks". ?</description></property></configuration>