- CCM-ZK部署
- 获取口令密文(在每台ZooKeeper服务端节点执行)。
cat /opt/gcache/secure/Certs/identity.ks
密文内容格式如下:
AAAAAgAAAAAAAAAAAAAAAQAAAAmfTmJhF91SS6/7xEZldZErWUrkuRtyiFbjfM0gAAAAAAEAAAEAAAAAAAAAGr2WPWfiMhmqBd1w/bsAfJ2q+QBtJbC0EsBJ
- 修改ZooKeeper配置文件(在每台ZooKeeper服务端节点执行)。
vi /opt/apache-zookeeper-3.6.3-bin/conf/zoo.cfg
在ZooKeeper的每个server节点下,修改zoo.cfg,增加以下字段。secureClientPort=2281 ssl.protocol=TLSv1.2 ssl.enabledProtocols=TLSv1.2 ssl.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location= /opt/gcache/secure/Certs/keystore.jks ssl.keyStore.password= #步骤1获取到的口令密文 ssl.trustStore.location= /opt/gcache/secure/Certs/truststore.jks ssl.trustStore.password= #步骤1获取到的口令密文 ssl.switch=on #on表示密码配置密文有效,off表示密码配置明文无效删除以下字段
clientPort=2181
- 拷贝kmc密钥至ZooKeeper配置文件目录(在每台ZooKeeper服务端节点执行)。
mkdir -p /opt/apache-zookeeper-3.6.3-bin/conf/keystore/ chmod 750 /opt/apache-zookeeper-3.6.3-bin/conf/keystore/ cp /opt/gcache/secure/kmc/kmc.primary.ks /opt/apache-zookeeper-3.6.3-bin/conf/keystore/zk_kmc_primary.ks cp /opt/gcache/secure/kmc/kmc.standby.ks /opt/apache-zookeeper-3.6.3-bin/conf/keystore/zk_kmc_standby.ks
- 安装ZooKeeper安全加固补丁,将补丁boostkit-zk-secure.tar.gz上传到目录/opt/apache-zookeeper-3.6.3-bin,执行下如下命令安装(在每台ZooKeeper服务端节点执行)。
cd /opt/apache-zookeeper-3.6.3-bin tar xvf boostkit-zk-secure.tar.gz cp /opt/apache-zookeeper-3.6.3-bin/build/jar/one-track-4-kmc-21.0.2.jar /opt/apache-zookeeper-3.6.3-bin/lib/one-track-4-kmc-21.0.2.jar cp /opt/apache-zookeeper-3.6.3-bin/build/jar/boostkit-globalcache-zk-21.0.0.jar /opt/apache-zookeeper-3.6.3-bin/lib/boostkit-globalcache-zk-21.0.0.jar
- 修改ZooKeeper启动脚本zkServer.sh(在每台Zookeeper服务端节点执行)。
sed -ri 's|org.apache.zookeeper.server.quorum.QuorumPeerMain|com.huawei.kunpeng.zookeeper.KunpengQuorumPeerMain|g' /opt/apache-zookeeper-3.6.3-bin/bin/zkServer.sh
- 将新增文件的权限赋给globalcacheop用户。
chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin/conf/keystore/* chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin/lib/*
- 重启ZooKeeper(在每台ZooKeeper服务端节点执行)。
1 2 3
cd /opt/apache-zookeeper-3.6.3-bin/bin sh zkServer.sh stop sh zkServer.sh start
- 修改Global Cache配置文件(在所有节点执行)。
vi /opt/gcache/conf/gcache.conf
修改确认如下配置项(参考客户端和服务端中gcache.conf中的security单元下的配置根据环境进行更改配置)。
[communicate] zk_server_list = ceph1:2281,ceph2:2281,ceph3:2281 #端口号与步骤2中secureClientPort保持一致 [security] tls_status = on kmc_path = /opt/gcache/secure/kmc cert_path = /opt/gcache/secure/Certs
- 获取口令密文(在每台ZooKeeper服务端节点执行)。
- BCM-ZK部署
- 获取口令密文(在每台ZooKeeper服务端节点执行)。
cat /opt/gcache/secure/Certs/identity.ks
密文内容格式如下:
AAAAAgAAAAAAAAAAAAAAAQAAAAmfTmJhF91SS6/7xEZldZErWUrkuRtyiFbjfM0gAAAAAAEAAAEAAAAAAAAAGr2WPWfiMhmqBd1w/bsAfJ2q+QBtJbC0EsBJ
- 修改ZooKeeper配置文件(在每台ZooKeeper服务端节点执行)。
vi /opt/apache-zookeeper-3.6.3-bin-bcm/conf/zoo.cfg
在ZooKeeper的每个server节点下,修改zoo.cfg,增加以下字段。secureClientPort=2282 ssl.protocol=TLSv1.2 ssl.enabledProtocols=TLSv1.2 ssl.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location= /opt/gcache/secure/Certs/keystore.jks ssl.keyStore.password= #步骤1获取到的口令密文 ssl.trustStore.location= /opt/gcache/secure/Certs/truststore.jks ssl.trustStore.password= #步骤1获取到的口令密文 ssl.switch=on #on表示密码配置密文有效,off表示密码配置明文无效删除以下字段clientPort=2181
- 拷贝kmc密钥至ZooKeeper配置文件目录(在每台ZooKeeper服务端节点执行)。
mkdir -p /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/ chmod 750 /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/ cp /opt/gcache/secure/kmc/kmc.primary.ks /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/zk_kmc_primary.ks cp /opt/gcache/secure/kmc/kmc.standby.ks /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/zk_kmc_standby.ks
- 安装ZooKeeper安全加固补丁,将补丁boostkit-zk-secure.tar.gz上传到目录/opt/apache-zookeeper-3.6.3-bin-bcm,执行下如下命令安装(在每台ZooKeeper服务端节点执行)。
cd /opt/apache-zookeeper-3.6.3-bin-bcm tar xvf boostkit-zk-secure.tar.gz cp /opt/apache-zookeeper-3.6.3-bin-bcm/build/jar/one-track-4-kmc-21.0.2.jar /opt/apache-zookeeper-3.6.3-bin-bcm/lib/one-track-4-kmc-21.0.2.jar cp /opt/apache-zookeeper-3.6.3-bin-bcm/build/jar/boostkit-globalcache-zk-21.0.0.jar /opt/apache-zookeeper-3.6.3-bin-bcm/lib/boostkit-globalcache-zk-21.0.0.jar
- 修改ZooKeeper启动脚本zkServer.sh(在每台Zookeeper服务端节点执行)。
sed -ri 's|org.apache.zookeeper.server.quorum.QuorumPeerMain|com.huawei.kunpeng.zookeeper.KunpengQuorumPeerMain|g' /opt/apache-zookeeper-3.6.3-bin-bcm/bin/zkServer.sh
- 将新增文件的权限赋给globalcache用户。
chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/* chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin-bcm/lib/*
- 重启ZooKeeper(在每台ZooKeeper服务端节点执行)。
1 2 3
cd /opt/apache-zookeeper-3.6.3-bin-bcm/bin sh zkServer.sh stop sh zkServer.sh start
- 修改bcm.xml中的BCM ZK集群配置文件。
vi /opt/gcache/conf/bcm.xml
修改zk_server_list的端口号为2282(bcm.xml的配置方式详见bcm.xml说明)
修改bcm.xml中的zk_server_list后,需要重新执行导入,详见验证Global Cache中的1.c和1.d。
- 获取口令密文(在每台ZooKeeper服务端节点执行)。