Help Center/
MapReduce Service/
Component Operation Guide (Normal)/
Using Flink/
Reference/
Example of Issuing a Certificate
Updated on 2022-12-09 GMT+08:00
Example of Issuing a Certificate
Generate the generate_keystore.sh script based on the sample code and save the script to the bin directory on the Flink client.
#!/bin/bash
KEYTOOL=${JAVA_HOME}/bin/keytool
KEYSTOREPATH="$FLINK_HOME/conf/"
CA_ALIAS="ca"
CA_KEYSTORE_NAME="ca.keystore"
CA_DNAME="CN=Flink_CA"
CA_KEYALG="RSA"
CLIENT_CONF_YAML="$FLINK_HOME/conf/flink-conf.yaml"
KEYTABPRINCEPAL=""
function getConf()
{
if [ $# -ne 2 ]; then
echo "invalid parameters for getConf"
exit 1
fi
confName="$1"
if [ -z "$confName" ]; then
echo "conf name is empty."
exit 2
fi
configFile=$FLINK_HOME/conf/client.properties
if [ ! -f $configFile ]; then
echo $configFile" is not exist."
exit 3
fi
defaultValue="$2"
cnt=$(grep $1 $configFile | wc -l)
if [ $cnt -gt 1 ]; then
echo $confName" has multi values in "$configFile
exit 4
elif [ $cnt -lt 1 ]; then
echo $defaultValue
else
line=$(grep $1 $configFile)
confValue=$(echo "${line#*=}")
echo "$confValue"
fi
}
function createSelfSignedCA()
{
#varible from user input
keystorePath=$1
storepassValue=$2
keypassValue=$3
#generate ca keystore
rm -rf $keystorePath/$CA_KEYSTORE_NAME
$KEYTOOL -genkeypair -alias $CA_ALIAS -keystore $keystorePath/$CA_KEYSTORE_NAME -dname $CA_DNAME -storepass $storepassValue -keypass $keypassValue -validity 3650 -keyalg $CA_KEYALG -keysize 3072 -ext bc=ca:true
if [ $? -ne 0 ]; then
echo "generate ca.keystore failed."
exit 1
fi
#generate ca.cer
rm -rf "$keystorePath/ca.cer"
$KEYTOOL -keystore "$keystorePath/$CA_KEYSTORE_NAME" -storepass "$storepassValue" -alias $CA_ALIAS -validity 3650 -exportcert > "$keystorePath/ca.cer"
if [ $? -ne 0 ]; then
echo "generate ca.cer failed."
exit 1
fi
#generate ca.truststore
rm -rf "$keystorePath/flink.truststore"
$KEYTOOL -importcert -keystore "$keystorePath/flink.truststore" -alias $CA_ALIAS -storepass "$storepassValue" -noprompt -file "$keystorePath/ca.cer"
if [ $? -ne 0 ]; then
echo "generate ca.truststore failed."
exit 1
fi
}
function generateKeystore()
{
#get path/pass from input
keystorePath=$1
storepassValue=$2
keypassValue=$3
#get value from conf
aliasValue=$(getConf "flink.keystore.rsa.alias" "flink")
validityValue=$(getConf "flink.keystore.rsa.validity" "3650")
keyalgValue=$(getConf "flink.keystore.rsa.keyalg" "RSA")
dnameValue=$(getConf "flink.keystore.rsa.dname" "CN=flink.com")
SANValue=$(getConf "flink.keystore.rsa.ext" "ip:127.0.0.1")
SANValue=$(echo "$SANValue" | xargs)
SANValue="ip:$(echo "$SANValue"| sed 's/,/,ip:/g')"
#generate keystore
rm -rf $keystorePath/flink.keystore
$KEYTOOL -genkeypair -alias $aliasValue -keystore $keystorePath/flink.keystore -dname $dnameValue -ext SAN=$SANValue -storepass $storepassValue -keypass $keypassValue -keyalg $keyalgValue -keysize 3072 -validity 3650
if [ $? -ne 0 ]; then
echo "generate flink.keystore failed."
exit 1
fi
#generate cer
rm -rf $keystorePath/flink.csr
$KEYTOOL -certreq -keystore $keystorePath/flink.keystore -storepass $storepassValue -alias $aliasValue -file $keystorePath/flink.csr
if [ $? -ne 0 ]; then
echo "generate flink.csr failed."
exit 1
fi
#generate flink.cer
rm -rf $keystorePath/flink.cer
$KEYTOOL -gencert -keystore $keystorePath/ca.keystore -storepass $storepassValue -alias $CA_ALIAS -ext SAN=$SANValue -infile $keystorePath/flink.csr -outfile $keystorePath/flink.cer -validity 3650
if [ $? -ne 0 ]; then
echo "generate flink.cer failed."
exit 1
fi
#import cer into keystore
$KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/ca.cer -alias $CA_ALIAS -noprompt
if [ $? -ne 0 ]; then
echo "importcert ca."
exit 1
fi
$KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/flink.cer -alias $aliasValue -noprompt;
if [ $? -ne 0 ]; then
echo "generate flink.truststore failed."
exit 1
fi
}
function configureFlinkConf()
{
# set config
if [ -f "$CLIENT_CONF_YAML" ]; then
SSL_ENCRYPT_ENABLED=$(grep "security.ssl.encrypt.enabled" "$CLIENT_CONF_YAML" | awk '{print $2}')
if [ "$SSL_ENCRYPT_ENABLED" = "false" ];then
sed -i s/"security.ssl.key-password:".*/"security.ssl.key-password:"\ "${keyPass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.key-password failed."
return 1
fi
sed -i s/"security.ssl.keystore-password:".*/"security.ssl.keystore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore-password failed."
return 1
fi
sed -i s/"security.ssl.truststore-password:".*/"security.ssl.truststore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore-password failed."
return 1
fi
echo "security.ssl.encrypt.enabled is false, set security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password success."
else
echo "security.ssl.encrypt.enabled is true, please enter security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password encrypted value in flink-conf.yaml."
fi
keystoreFilePath="${keystorePath}"/flink.keystore
sed -i 's#'"security.ssl.keystore:".*'#'"security.ssl.keystore:"\ "$keystoreFilePath"'#g' "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore failed."
return 1
fi
truststoreFilePath="${keystorePath}/flink.truststore"
sed -i 's#'"security.ssl.truststore:".*'#'"security.ssl.truststore:"\ "$truststoreFilePath"'#g' "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.truststore failed."
return 1
fi
command -v sha256sum >/dev/null
if [ $? -ne 0 ];then
echo "sha256sum is not exist, it will produce security.cookie with date +%F-%H-%M-%s-%N."
cookie=$(date +%F-%H-%M-%s-%N)
else
cookie="$(echo "${KEYTABPRINCEPAL}"| sha256sum | awk '{print $1}')"
fi
sed -i s/"security.cookie:".*/"security.cookie:"\ "${cookie}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.cookie failed."
return 1
fi
fi
return 0;
}
main()
{
#check environment variable is set or not
if [ -z ${FLINK_HOME+x} ]; then
echo "errro: environment variables are not set."
exit 1
fi
stty -echo
read -rp "Enter password:" password
stty echo
echo
KEYTABPRINCEPAL=$(grep "security.kerberos.login.principal" "$CLIENT_CONF_YAML" | awk '{print $2}')
if [ -z "$KEYTABPRINCEPAL" ];then
echo "please config security.kerberos.login.principal info first."
exit 1
fi
#get input
keystorePath="$KEYSTOREPATH"
storePass="$password"
keyPass="$password"
#generate self signed CA
createSelfSignedCA "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "create self signed ca failed."
exit 1
fi
#generate keystore
generateKeystore "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "create keystore failed."
exit 1
fi
echo "generate keystore/truststore success."
# set flink config
configureFlinkConf "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "configure Flink failed."
exit 1
fi
return 0;
}
#the start main
main "$@"
exit 0
Run the sh generate_keystore.sh <password> command. <password> is user-defined.
- If <password> contains the special character $, use the following method to avoid the password being escaped: sh generate_keystore.sh 'Bigdata_2013'.
- The password cannot contain #.
- Before using the generate_keystore.sh script, run the source bigdata_env command in the client directory.
- When the generate_keystore.sh script is used, the absolute paths of security.ssl.keystore and security.ssl.truststore are automatically filled in flink-conf.yaml. Therefore, you need to manually change the paths to relative paths as required. Example:
- Change /opt/client/Flink/flink/conf//flink.keystore to security.ssl.keystore: ssl/flink.keystore.
- Change /opt/client/Flink/flink/conf//flink.truststore to security.ssl.truststore: ssl/flink.truststore.
- Create the ssl folder in any directory on the Flink client. For example, create the ssl folder in the /opt/client/Flink/flink/conf/ directory and save the flink.keystore and flink.truststore files to the ssl folder.
- When you run the yarn-session or flink run -m yarn-cluster command, run the yarn-session.sh -t ssl -d or flink run -m yarn-cluster -yt ssl -d WordCount.jar command in the same directory as the ssl folder.
Parent topic: Reference
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
The system is busy. Please try again later.
