Replacing the CA Certificate

Updated on 2024-09-23 GMT+08:00

View PDF

Scenario

The MRS CA certificate is used for data encryption during the communication between the client and the server of a component to ensure communication security. You can replace the CA certificate on FusionInsight Manager to ensure product security. This operation is applicable to the following scenarios:

After the cluster is installed for the first time, import an enterprise certificate.
If the enterprise certificate has expired or security hardening is required, replace it with a new certificate.

After the CA certificate is replaced, the certificates that are used by HDFS, YARN, MapReduce, HBase, Loader, Hue, Flink (MRS 3.2.0 or later)Oozie, Hive, Tomcat, CAS, HTTPD, and LDAP in MRS will be automatically updated.

The certificate file and key file can be applied for from the enterprise certificate center or generated by the cluster user.

NOTE:

Only CA certificates that can be issued and in X.509 format can be imported in FusionInsight.
FusionInsight requires that the OS encoding format be en_US.UTF-8 or POSIX. Otherwise, the certificate function will be abnormal.
If an isolated faulty node exists in the current cluster, the CA certificate of the node will not be replaced. After the node is de-isolated, you need to reinstall the services running on the node to ensure that the node and the cluster use the same CA certificate.
This topic is available for MRS 3.x or later.

Impact on the System

The MRS system must be restarted during the replacement and cannot be accessed or provide services.
After the certificate is replaced, the certificates used by all components and FusionInsight Manager modules are automatically updated.
After the certificate is replaced, you need to reinstall the certificate in the local environment where the certificate is not trusted.

Prerequisites

You have obtained the files to be imported to the MRS cluster, including the CA certificate file (*.crt), key file (*.key), and file that saves the key file password (password.property). The certificate name and key name support letters and digits.
You have prepared a password for accessing the key file, for example, Userpwd@123.
To avoid potential security risks, the password must meet the following complexity requirements:
- Contains at least 8 characters.
- Contains at least four types of the following: uppercase letters, lowercase letters, numbers, and special characters (~`!?,.;-_'(){}[]/<>@#$%^&*+|\=).
When applying for a certificate from the certificate center, provide the password for accessing the key file and apply for the certificate files in CRT, CER, CERT, and PEM formats and the key files in KEY and PEM formats. The applied certificate must have the issuing function.

Replacing the CA Certificate

Log in to any management node in the cluster as user omm.
Select a method for generating certificate files and key files.
- If the certificate is generated by the certificate center, save the certificate file and key file to the omm user directory on the management node.
  NOTE:
  
  If the obtained certificate file is not in the .crt format and the key file is not in the .key format, run the following commands to change the file formats:
  
  mv Certificate name.Certificate formatCertificate name.crt
  
  mv Key name.Key format Key name.key
  
  For example, run the following commands to name the certificate file ca.crt and name the key file ca.key:
  
  mv server.cer ca.crt
  
  mv server_key.pem ca.key
- If the certificate is generated by the cluster user, run the following commands to generate the certificate file and key file in the omm user directory on the management node:
  1. Generate the key file.
    Run the following command to check whether the OpenSSL version is 1.1.1 or later:
    
    /usr/bin/openssl version
    - If yes, run the following command:
      openssl genrsa -out Key name.key -aes256 3072
    - If no, run the following command:
      openssl genrsa -out Key name.key -aes256 3072 -sha256
    For example, to generate the key file ca.key, run the following command:
    
    openssl genrsa -out ca.key -aes256 3072 -sha256
    
    Enter the password twice as prompted, and press Enter.
```
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
```
  2. Generate the certificate file.
    openssl req -new -x509 -days 1825 -key Key name.key -out Certificate name.crt -subj "/C=cn/ST=guangdong/L=shenzhen/O=huawei/OU=huawei/CN=huawei" -sha256
    
    For example, to generate the certificate file ca.crt, run the following command:
    
    openssl req -new -x509 -days 1825 -key ca.key -out ca.crt -subj "/C=cn/ST=guangdong/L=shenzhen/O=huawei/OU=huawei/CN=huawei" -sha256
    
    Enter the password for the key file as prompted, and press Enter.
```
Enter pass phrase for ca.key:
```
Run the following command in the omm user directory on the management node to save the password for accessing the key file.

sh ${BIGDATA_HOME}/om-server/om/sbin/genPwFile.sh

Enter the password twice as prompted, and press Enter. After being encrypted, the password is saved in password.property.
```
Please input key password: 
Please Confirm password:
```
NOTE:
- The password.property file generated on the node you have logged is available only for the current cluster and cannot be used for other clusters. The file contains security information. Keep it secure and control the access permission.
- In active/standby DR scenarios, the genPwFile.sh script must be executed on both the active and DR cluster nodes, and the same password must be entered for the two clusters.
Compress the three files in the .tar format and save them to the local computer.

tar -cvf Package name Certificate name .crt Key name .key password.property

For example, tar -cvf test.tar ca.crt ca.key password.property

NOTE:

In active/standby DR scenarios, run this command on each cluster node.
Log in to FusionInsight Manager and choose System > Certificate.
In the Upload Certificate area, click the file selection button. In the window for selecting files, select the obtained .tar certificate file packages and open them and click Upload. The system automatically imports the certificate.
After the certificate is imported, the system prompts you to synchronize the cluster configuration and restart the web service for the new certificate to take effect. After you complete these operations, click OK.
In the dialog box that is displayed, enter the password and click OK to automatically synchronize the cluster configuration and restart the web service.
After the cluster is restarted, enter the URL for accessing FusionInsight Manager in the address box of the browser and check whether the FusionInsight Manager web UI can be successfully displayed.

NOTE:

The enterprise certificate has expired or security is hardened. After replacing the MRS certificate, replace the local certificate as well.
Log in to FusionInsight Manager and choose Cluster > Overview > More > Restart . In the displayed dialog box, enter the password of the current login user and click OK.

NOTE:

After the CA certificate is replaced, you need to restart the cluster offline to make the certificate take effect. Rolling restart is not supported.
In the displayed restart confirmation dialog box, click OK.