Help Center/ MapReduce Service/ User Guide (Ankara Region)/ FusionInsight Manager Operation Guide/ Security Management/ Security Hardening/ Changing the Cluster Encryption Mode
Updated on 2024-11-29 GMT+08:00
View PDF
Share

Changing the Cluster Encryption Mode

Scenario

This section describes how to change the encryption mode of a cluster.

Impact on the System

When changing the encryption mode of a cluster, the cluster and OMS node are stopped and cannot be accessed.

Prerequisites

The upper-layer applications depending on the cluster are stopped.

Procedure

  1. Log in to FusionInsight Manager as user admin.
  2. In the upper right corner of Homepage, click Stop. In the dialog box displayed, enter the password of the current user for identity confirmation.

    and click OK. Wait for a while until a message indicating that the operation is successful is displayed.

  3. Log in to the active management node as user root and run the following command to switch to user omm:

    su - omm

  4. Run the following command to check the current encryption mode of the cluster (that is, the value of the defaultAlgorithm parameter in the scc.conf file):

    cat $BIGDATA_COMMON/securityforscc/config/scc.conf

    For example, the following information indicates that the current cluster is encrypted using the general encryption algorithm.

    ......
defaultAlgorithm=AES256_GCM
......

  5. Run the following commands to change the cluster encryption mode, for example, to SMCompatible:

    cd $CONTROLLER_HOME/tools

    bash updateSysSecretMain.sh -o update -a SMCompatible

    For details about the parameters of the script for changing the encryption mode, see Reference Information.

    The cryptographic algorithm is successfully changed if the following information is displayed:

     start to pre-action(update) 
 end to pre-action(update) 
 Operations(update) need to be performed on 3 nodes in the cluster. 
 start to execute action(update) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 end to execute action(update) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 ......
 start to post-action(update) 
 end to post-action(update) 
 execute action(update) success.

  6. Run the following command to check view cluster encryption mode:

    cat $BIGDATA_COMMON/securityforscc/config/scc.conf

    ......
defaultAlgorithm=SM4_CTR
......

  7. In the upper right corner of Homepage, click More and select Synchronize Configurations. In the dialog box displayed, click OK to synchronize configurations for the current cluster. Wait until the synchronization is complete.
  8. Click Start. In the displayed dialog box, click OK. Wait until a message is displayed indicating that the startup is successful.
  9. Check whether the cluster is successfully started and all services are running properly.

    • If yes, go to 10.
    • If no, go to 11.

  10. After the cluster is started and services are running properly, run the following commands on the active management node of the cluster to delete the files related to the old key:

    cd $CONTROLLER_HOME/tools

    bash updateSysSecretMain.sh -o commit

    The operation is successful if the following information is displayed:

     Operations(commit) need to be performed on 3 nodes in the cluster. 
 start to execute action(commit) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 end   to execute action(commit) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 ......
 execute action(commit) success.

  11. If the cluster fails to be started or the service running status is abnormal, run the following commands on the active management node of the cluster to roll back to the state before the encryption mode of the cluster is changed. If the rollback fails, contact technical support.

    cd $CONTROLLER_HOME/tools

    bash updateSysSecretMain.sh -o rollback

    The operation is successful if the following information is displayed:

     start to pre-action(rollback) 
 end to pre-action(rollback) 
 Operations(rollback) need to be performed on 3 nodes in the cluster. 
 start to execute action(rollback) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 end   to execute action(rollback) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 ......
 start to post-action(rollback) 
 end to post-action(rollback) 
 execute action(rollback) success.

    Run the following command to submit the rollback operation:

    bash updateSysSecretMain.sh -o commit

    The operation is successful if the following information is displayed:

     Operations(commit) need to be performed on 3 nodes in the cluster. 
 start to execute action(commit) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 end   to execute action(commit) on node[No:1, ip:192.168.43.43, nodeType:oms-node-active] 
 ......
 execute action(commit) success.

Reference Information

The following describes the parameters of the script for changing the encryption mode.

help:
  parameters:
      -o: Operation Type, Mandatory parameters, Enumerated Value: update | commit | rollback
      -a: Algorithm Type, Optional parameters(Required only for update operation), Enumerated Value: generalCipher | SMCompatible | SMOnly
  usage:
      updateSysSecretMain.sh -o [ update | commit | rollback ] | [ -a [ generalCipher | SMCompatible | SMOnly ] ]
  • -o: indicates the supported operations for changing the encryption mode of a cluster key, including the update, rollback, and commit operations. The update or rollback operation is followed by a commit operation, which is used to submit the current operation result.
  • -a: indicates the type of an encryption mode. The update operation supports the following key modes:
    • generalCipher: indicates that the general encryption mode is used.
    • SMCompatible/SMOnly: indicates that the national encryption mode is used.
Parent topic: Security Hardening