drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keys Botzum (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-5030) Drill SSL Docs have Bad Link to Oracle Website
Date Thu, 10 Nov 2016 16:06:58 GMT

    [ https://issues.apache.org/jira/browse/DRILL-5030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15654422#comment-15654422

Keys Botzum commented on DRILL-5030:

The Oracle page referenced is likely just defining the three parameters - basically their
meaning. Obviously the link should be fixed, but that's separate from asking for a detailed
example of creating certs.

My concern about an example is that this is much harder than it appears as there are many,
many different ways to get a certificate. What's really key is to explain clearly what Drill
expects to be in JKS file (the docs are not clear) and then perhaps provide a simple example
using a well known CA to get a sample cert, but realistically that example will only be accurate
for a small set of users. That's why it is so important to explain clearly what Drill expects
in the JKS file.

Also, since you asked, here is an internal document from MapR that describes how to replace
the MapR self signed certificate. A similar approach should work with Drill:

XXXX was kind enough to share the steps he went through to replace the default ssl_keystore
and ssl_truststore with CA issued certificates. There is no real improvement in security from
doing this but many customers prefer to use CA issued certificates as it does improve the
user experience.

1. 1-node cluster on mapr50.hadoopone.com is running in secure mode already.  configure.sh
was run setting mapr50.hadoopone.com (FQDN) as CLDB, ZK, HS, and RM.

2. cert generated from godaddy is a wildcard cert for *.hadoopone.com domain and contains
a7d2eaede47dbc19.crt (wildcard host cert), gd_bundle-g2-g1.crt (cert chain that leads up to
the godaddy signer), and hadoopone.key (RSA key).  All files stored in home directory of root

3. an entry in hosts file of laptop was created for mapr50.hadoopone.com (so that MCS doesn't
prompt "continue at your own risk?"), or this host resolves in DNS.

PROCEDURE (all commands run as root user)
1. stop the cluster

service mapr-warden stop
[Note: no need to stop ZK as it doesn’t use certificates]

2. check contents of certificate issued by godaddy

keytool -printcert -file ~/a7d2eaede47dbc19.crt
openssl x509 -noout -text -in ~/a7d2eaede47dbc19.crt

3. check cert chain issued by godaddy

keytool -printcert -file ~/gd_bundle-g2-g1.crt 

4. check RSA key issued by godaddy

openssl rsa -noout -text -in hadoopone.key 

5. create PKCS12 certificate to import 

openssl pkcs12 -export -in ~/a7d2eaede47dbc19.crt -inkey ~/hadoopone.key -out ~/hadoopone_com.pk12
-name 'mapr50.hadoopone.com' -CAfile ~/gd_bundle-g2-g1.crt -chain -passout pass:mapr123

6. check PKCS12 certificate you just generated

keytool -list -keystore ~/hadoopone_com.pk12 -storepass mapr123 -storetype PKCS12 

7. import PKCS12 certificate in keystore

keytool --importkeystore -noprompt -deststorepass mapr123 -destkeystore ~/ssl_keystore -srckeystore
hadoopone_com.pk12 -srcstoretype PKCS12 -srcstorepass mapr123

8. list certs in the keystore

keytool -list -v -keystore ~/ssl_keystore -storepass mapr123 

9. import certificate chain into truststore
keytool --importcert -storepass mapr123 -keystore ssl_truststore -file gd_bundle-g2-g1.crt
-alias godaddy

10. list certs in the trust store

keytool -list -keystore ~/ssl_truststore -storepass mapr123 

11. copy the modified keystore and truststore back to /opt/mapr/conf

cp ~/ssl_keystore /opt/mapr/conf
cp ~/ssl_truststore /opt/mapr/conf

12. restart the cluster

service mapr-zookeeper start
service mapr-warden start

13. test

> Drill SSL Docs have Bad Link to Oracle Website
> ----------------------------------------------
>                 Key: DRILL-5030
>                 URL: https://issues.apache.org/jira/browse/DRILL-5030
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 1.8.0
>            Reporter: John Omernik
> When going to setup custom SSL certs on Drill, I found that the link to the oracle website
was broken on this page: https://drill.apache.org/docs/configuring-web-console-and-rest-api-security/
> at:
> As cluster administrator, you can set the following SSL configuration parameters in the
 conf/drill-override.conf file, as described in the Java product documentation:
> Obviously fixing the link is one option, another would be to provide instructions for
SSL certs directly in the drill docs so we are not reliant on Oracle's website. 
> Thanks!

This message was sent by Atlassian JIRA

View raw message