Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Replacing the CA Certificate

Updated on 2024-09-23 GMT+08:00

Scenario

The MRS CA certificate is used for data encryption during the communication between the client and the server of a component to ensure communication security. You can replace the CA certificate on FusionInsight Manager to ensure product security. This operation is applicable to the following scenarios:

  • After the cluster is installed for the first time, import an enterprise certificate.
  • If the enterprise certificate has expired or security hardening is required, replace it with a new certificate.

After the CA certificate is replaced, the certificates that are used by HDFS, YARN, MapReduce, HBase, Loader, Hue, Flink (MRS 3.2.0 or later)Oozie, Hive, Tomcat, CAS, HTTPD, and LDAP in MRS will be automatically updated.

The certificate file and key file can be applied for from the enterprise certificate center or generated by the cluster user.

NOTE:
  • Only CA certificates that can be issued and in X.509 format can be imported in FusionInsight.
  • FusionInsight requires that the OS encoding format be en_US.UTF-8 or POSIX. Otherwise, the certificate function will be abnormal.
  • If an isolated faulty node exists in the current cluster, the CA certificate of the node will not be replaced. After the node is de-isolated, you need to reinstall the services running on the node to ensure that the node and the cluster use the same CA certificate.
  • This topic is available for MRS 3.x or later.

Impact on the System

  • The MRS system must be restarted during the replacement and cannot be accessed or provide services.
  • After the certificate is replaced, the certificates used by all components and FusionInsight Manager modules are automatically updated.
  • After the certificate is replaced, you need to reinstall the certificate in the local environment where the certificate is not trusted.

Prerequisites

  • You have obtained the files to be imported to the MRS cluster, including the CA certificate file (*.crt), key file (*.key), and file that saves the key file password (password.property). The certificate name and key name support letters and digits.
  • You have prepared a password for accessing the key file, for example, Userpwd@123.

    To avoid potential security risks, the password must meet the following complexity requirements:

    • Contains at least 8 characters.
    • Contains at least four types of the following: uppercase letters, lowercase letters, numbers, and special characters (~`!?,.;-_'(){}[]/<>@#$%^&*+|\=).
  • When applying for a certificate from the certificate center, provide the password for accessing the key file and apply for the certificate files in CRT, CER, CERT, and PEM formats and the key files in KEY and PEM formats. The applied certificate must have the issuing function.

Replacing the CA Certificate

  1. Log in to any management node in the cluster as user omm.
  2. Select a method for generating certificate files and key files.

    • If the certificate is generated by the certificate center, save the certificate file and key file to the omm user directory on the management node.
      NOTE:

      If the obtained certificate file is not in the .crt format and the key file is not in the .key format, run the following commands to change the file formats:

      mv Certificate name.Certificate formatCertificate name.crt

      mv Key name.Key format Key name.key

      For example, run the following commands to name the certificate file ca.crt and name the key file ca.key:

      mv server.cer ca.crt

      mv server_key.pem ca.key

    • If the certificate is generated by the cluster user, run the following commands to generate the certificate file and key file in the omm user directory on the management node:
      1. Generate the key file.

        Run the following command to check whether the OpenSSL version is 1.1.1 or later:

        /usr/bin/openssl version

        • If yes, run the following command:

          openssl genrsa -out Key name.key -aes256 3072

        • If no, run the following command:

          openssl genrsa -out Key name.key -aes256 3072 -sha256

        For example, to generate the key file ca.key, run the following command:

        openssl genrsa -out ca.key -aes256 3072 -sha256

        Enter the password twice as prompted, and press Enter.

        Enter pass phrase for ca.key:
        Verifying - Enter pass phrase for ca.key:
      2. Generate the certificate file.

        openssl req -new -x509 -days 1825 -key Key name.key -out Certificate name.crt -subj "/C=cn/ST=guangdong/L=shenzhen/O=huawei/OU=huawei/CN=huawei" -sha256

        For example, to generate the certificate file ca.crt, run the following command:

        openssl req -new -x509 -days 1825 -key ca.key -out ca.crt -subj "/C=cn/ST=guangdong/L=shenzhen/O=huawei/OU=huawei/CN=huawei" -sha256

        Enter the password for the key file as prompted, and press Enter.

        Enter pass phrase for ca.key:

  3. Run the following command in the omm user directory on the management node to save the password for accessing the key file.

    sh ${BIGDATA_HOME}/om-server/om/sbin/genPwFile.sh

    Enter the password twice as prompted, and press Enter. After being encrypted, the password is saved in password.property.

    Please input key password: 
    Please Confirm password:
    NOTE:
    • The password.property file generated on the node you have logged is available only for the current cluster and cannot be used for other clusters. The file contains security information. Keep it secure and control the access permission.
    • In active/standby DR scenarios, the genPwFile.sh script must be executed on both the active and DR cluster nodes, and the same password must be entered for the two clusters.

  4. Compress the three files in the .tar format and save them to the local computer.

    tar -cvf Package name Certificate name .crt Key name .key password.property

    For example, tar -cvf test.tar ca.crt ca.key password.property

    NOTE:

    In active/standby DR scenarios, run this command on each cluster node.

  5. Log in to FusionInsight Manager and choose System > Certificate.
  6. In the Upload Certificate area, click the file selection button. In the window for selecting files, select the obtained .tar certificate file packages and open them and click Upload. The system automatically imports the certificate.
  7. After the certificate is imported, the system prompts you to synchronize the cluster configuration and restart the web service for the new certificate to take effect. After you complete these operations, click OK.
  8. In the dialog box that is displayed, enter the password and click OK to automatically synchronize the cluster configuration and restart the web service.
  9. After the cluster is restarted, enter the URL for accessing FusionInsight Manager in the address box of the browser and check whether the FusionInsight Manager web UI can be successfully displayed.

    NOTE:

    The enterprise certificate has expired or security is hardened. After replacing the MRS certificate, replace the local certificate as well.

  10. Log in to FusionInsight Manager and choose Cluster > Overview > More > Restart . In the displayed dialog box, enter the password of the current login user and click OK.

    NOTE:

    After the CA certificate is replaced, you need to restart the cluster offline to make the certificate take effect. Rolling restart is not supported.

  11. In the displayed restart confirmation dialog box, click OK.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback