You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by GitBox <gi...@apache.org> on 2020/04/06 17:04:24 UTC
[GitHub] [accumulo] karthick-rn edited a comment on issue #1578: Accumulo
master hangs after TLS on ZK
karthick-rn edited a comment on issue #1578: Accumulo master hangs after TLS on ZK
URL: https://github.com/apache/accumulo/issues/1578#issuecomment-609907620
> Also, if you can explain the specific steps you took to configure TLS on ZK, so we can reproduce it, that could be helpful to test in different environments.
**Steps to configure TLS on ZK:**
a) Generate certificates & keystores:
1) Run the below commands on each hosts & generate a '.crt' file per host
```
keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keysize 2048 -dname "cn=$(hostname -f)" -keypass changeit -keystore keystore.jks -storepass changeit
keytool -exportcert -alias $(hostname -f) -keystore keystore.jks -file $(hostname -f).crt -rfc -storepass changeit
```
2) Copy the '*.crt' file generated on each hosts to host1 and generate the truststore.jks as shown below
```
for i in `ls *.crt`; do
name=$(echo $i | sed 's/\.crt//g')
keytool -importcert -alias $name -file $name.crt -keystore truststore.jks -storepass changeit -noprompt
done
```
3) Copy "truststore.jks" to all the hosts
```
for i in `cat host_list`; do
scp truststore.jks $i:/path/to/truststore/;
done
```
where `host_list` is a file that contains fqdn of all hosts
4) Verify the contents of the truststore.jks & ensure it contains all the hosts in the cluster
`keytool -list -v -keystore truststore.jks`
b) Configurations:
1) Update the server & quorum configs on $ZOOKEEPER_HOME/conf/zoo.cfg
```
# Server configuration
secureClientPort=2281
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
# Quorum configuration
sslQuorum=true
ssl.quorum.keyStore.location=/path/to/keystore.jks
ssl.quorum.keyStore.password=changeit
ssl.quorum.trustStore.location=/path/to/truststore.jks
ssl.quorum.trustStore.password=changeit
# the port at which the clients will connect
#clientPort=2181 (Comment or remove the insecure client port)
```
2) Update the client & server configs on $ZOOKEEPER_HOME/bin/zkEnv.sh
```
SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory \
-Dzookeeper.ssl.keyStore.location=/path/to/keystore.jks \
-Dzookeeper.ssl.keyStore.password=changeit \
-Dzookeeper.ssl.trustStore.location=/path/to/truststore.jks \
-Dzookeeper.ssl.trustStore.password=changeit"
CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty \
-Dzookeeper.client.secure=true \
-Dzookeeper.ssl.keyStore.location=/path/to/keystore.jks \
-Dzookeeper.ssl.keyStore.password=changeit \
-Dzookeeper.ssl.trustStore.location=/path/to/truststore.jks \
-Dzookeeper.ssl.trustStore.password=changeit"
```
c) Testing
1) Start Zookeeper service on the hosts running ZK
`$ZOOKEEPER_HOME/bin/zkServer.sh start`
2) The following messages in the ZK log confirms the ensemble is running on TLS
```
INFO [main:QuorumPeer@1779] - Using TLS encrypted quorum communication
INFO [main:QuorumPeer@1787] - Port unification disabled
INFO [QuorumPeerListener:QuorumCnxManager$Listener@894] - Creating TLS-only quorum server socket
```
Accumulo (client connection)
The following changes are required to $ACCUMULO_HOME/conf/accumulo-env.sh
<pre>
CLASSPATH="${conf}:${lib}/*:${HADOOP_CONF_DIR}:${ZOOKEEPER_HOME}/*:<b>${ZOOKEEPER_HOME}/lib/"
CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty \
-Dzookeeper.client.secure=true \
-Dzookeeper.ssl.keyStore.location=$ZOOKEEPER_HOME/conf/ssl/keystore.jks \
-Dzookeeper.ssl.keyStore.password=hadoop \
-Dzookeeper.ssl.trustStore.location=$ZOOKEEPER_HOME/conf/ssl/truststore.jks \
-Dzookeeper.ssl.trustStore.password=hadoop"
</b>
JAVA_OPTS=("${JAVA_OPTS[@]}"
"-Daccumulo.log.dir=${ACCUMULO_LOG_DIR}"
"-Daccumulo.application=${cmd}${ACCUMULO_SERVICE_INSTANCE}_$(hostname)"
"-Daccumulo.metrics.service.instance=${ACCUMULO_SERVICE_INSTANCE}" <b>$CLIENT_JVMFLAGS </b>)
</pre>
Also, replace the ZK port from `2181` to `2281` on `accumulo.properties` & `accumulo-client.properties`
**Reference:**
https://zookeeper.apache.org/doc/r3.5.7/zookeeperAdmin.html#Quorum+TLS
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services