Distributing the TLS Certificate
- Perform operations in this section if you want to enable security.
- Perform operations in this section only on the management node.
- For security purposes, you are advised to change the umask value of the O&M account of each node to 077 or larger.
- If kmc_tool operations have been executed in the current environment, delete the KMC semaphore in the cluster environment.
1 2
ipcs ipcrm -S 0x20161316
- Configure a service flow. Select Command Execution and import the obtained certificate.json file. Copy the certificate.json file content in "JSON File Description" and save it as the certificate.json file. For details about the JSON file, see certificate.json.
- Update the path of the modified agent_node_list file. For details about how to modify the agent_node_list file, see agent_node_list.
- Set the path of CA_node_list.
- Set the script parameters.
- If mutual trust is not established between servers, enter the password of the installation account in the command output interaction.
- If mutual trust has been established between servers, input 1 in the command output. ockadmin is the user name for installing OCK. Replace it with the actual user name.
- The third parameter in the script is the owner group of ockadmin. Replace it with the actual owner group.
- sparkadmin is the user name for submitting Spark tasks. Replace it with the actual user name.
1su - ockadmin -c 'bash $OCK_HOME/security/certificate/cert_manager.sh root ockadmin ockadmin sparkadmin'
Currently, the directories for storing the generated ciphertext are different for the OCK installation user and the user who submits Spark tasks.
- For the OCK user: $OCK_HOME/security/tls/
- For the user who submits Spark tasks: ${HOME}/huawei/ock/security/tls
- Click Run Service.
- Check that the execution is successful.
- View the files required for security that are generated after the previous operations are complete.
- The ${OCK_HOME}/security/tls/server directory exists on the nodes in the agent_node_list file. The directory contains the following files.
File
Description
server.cert.pem
Certificate file of the node.
server.private.key.pem
Private key of the node.
ca.cert.pem
CA certificate.
server.keypass.key
Private key password of the node.
server
├── ca.cert.pem
├── server.cert.pem
├── server.keypass.key
└── server.private.key.pem
- The ${OCK_HOME}/security/tls/CACerts directory exists on the nodes listed in the CA_node_list file. The directory structure is as follows:
CACerts/
├── certs
│ ├── *.*.*.*.server.cert.pem
│ ├── *.*.*.*.server.cert.pem
│ ├── *.*.*.*.server.cert.pem
│ └── ca.cert.pem
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ ├── 02.pem
│ ├── 03.pem
├── openssl.cnf
├── private
│ └── ca.private.key.pem
├── public
│ └── ca.public.key.pem
├── serial
├── serial.old
└── server.keypass.key
- The CACerts/certs directory contains the certificate files of all the preceding nodes and a CA certificate file. In the preceding figure, there are three nodes in agent_node_list, and three certificates are generated.
- If there are n nodes in agent_node_list, n server.cert.pem files and one ca.cert.pem file will be generated in CACerts/certs.
- For security purposes, you are advised to disable remote login as the root user or O&M user after installing and deploying OCK (see SSH Hardening), and perform subsequent operations as the ockadmin user.
- The ${OCK_HOME}/security/tls/server directory exists on the nodes in the agent_node_list file. The directory contains the following files.
