配置TLS Entryption Cloudera时出现问题:没有通用的密码套件

时间:2019-01-22 22:20:01

标签: ssl encryption cloudera

我正在尝试根据cloudera文档Cloudera Documentation - TLS为Cloudera Manager设置TLS加密。

但是,在执行了以上链接中描述的命令“ sudo服务cloudera-scm-server重新启动”之后,Cloudera Manager不再能够发出错误:ERR_CONNECTION_CLOSED

PAGE ERROR

我注意到在更改之后,cloudera从http://cdh-master.internal:7180/cmf/重定向到https://cdh-master.internal:7183/cmf/,但是两个地址都无法正常工作。

我发现从链接https://cdh-master.internal:7183/cmf/打开Cloudera Manager的每个请求中,Cloudera日志中的某些条目显示如下错误(没有通用密码套件):< / p> 

2019-01-22 20:28:30,983 WARN 1758044733@scm-web-9:org.mortbay.log: javax.net.ssl.SSLHandshakeException: no cipher suites in common
2019-01-22 20:28:30,994 WARN 275764863@scm-web-10:org.mortbay.log: javax.net.ssl.SSLHandshakeException: no cipher suites in common

场景是:

  • Cloudera Manager 5.13
  • CentOS 6.7版(最终版)
  • 集群中的2个节点(cdh-master / cdh-datanode)

即使Cloudera文档没有显示如何认证文件,我还是在cdh-master中使用了以下命令来创建它:

在cdh-master中创建CA 

mkdir -p /opt/cloudera/security/ca
mkdir -p /opt/cloudera/security/ca/newcerts
mkdir -p /opt/cloudera/security/ca/certs
mkdir -p /opt/cloudera/security/ca/crl
mkdir -p /opt/cloudera/security/ca/private
mkdir -p /opt/cloudera/security/ca/requests
touch /opt/cloudera/security/ca/index.txt
touch /opt/cloudera/security/ca/index.txt.attr
echo '1000' >  /opt/cloudera/security/ca/serial

sudo openssl genrsa -aes256 -out /opt/cloudera/security/ca/private/ca.tworpnet.key.pem -passout pass:serversecret 4096

sudo openssl req -config /opt/cloudera/security/ca/openssl_root.cnf -new -x509 -sha256 -extensions v3_ca -key /opt/cloudera/security/ca/private/ca.tworpnet.key.pem -out /opt/cloudera/security/ca/certs/ca.tworpnet.crt.pem -days 3650 -set_serial 0 -passin pass:serversecret -subj '/CN=cdh-master.internal/OU=DAD/O=2RP Net/L=Barueri/ST=SP/C=US'

在cdh-master中创建中间CA 

mkdir -p /opt/cloudera/security/ca/intermediate
mkdir -p /opt/cloudera/security/ca/intermediate/newcerts
mkdir -p /opt/cloudera/security/ca/intermediate/certs
mkdir -p /opt/cloudera/security/ca/intermediate/crl
mkdir -p /opt/cloudera/security/ca/intermediate/private
mkdir -p /opt/cloudera/security/ca/intermediate/csr
touch /opt/cloudera/security/ca/intermediate/index.txt
touch /opt/cloudera/security/ca/intermediate/index.txt.attr
echo '1000' >  /opt/cloudera/security/ca/intermediate/crlnumber
echo '1234' >  /opt/cloudera/security/ca/intermediate/serial

sudo openssl req -config /opt/cloudera/security/ca/intermediate/openssl_intermediate.cnf -new -newkey rsa:4096 -keyout /opt/cloudera/security/ca/intermediate/private/int.tworpnet.key.pem -passout pass:serversecret -out /opt/cloudera/security/ca/intermediate/csr/int.tworpnet.csr -passin pass:serversecret -subj '/CN=cdh-master.internal/OU=DAD/O=2RP Net/L=Barueri/ST=SP/C=US'

sudo openssl ca -config /opt/cloudera/security/ca/openssl_root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in /opt/cloudera/security/ca/intermediate/csr/int.tworpnet.csr -out /opt/cloudera/security/ca/intermediate/certs/int.tworpnet.crt.pem  -passin pass:serversecret -batch

cat /opt/cloudera/security/ca/intermediate/certs/int.tworpnet.crt.pem /opt/cloudera/security/ca/certs/ca.tworpnet.crt.pem > /opt/cloudera/security/ca/intermediate/certs/chain.tworpnet.crt.pem

创建服务器证书

sudo openssl req -out /opt/cloudera/security/ca/intermediate/csr/$(hostname -f).server.csr.pem -newkey rsa:2048 -nodes -keyout /opt/cloudera/security/ca/intermediate/private/$(hostname -f).server.key.pem -passout pass:serversecret -config /opt/cloudera/security/ca/intermediate/openssl_csr_san.cnf -subj '/CN=cdh-master.internal/OU=DAD/O=2RP Net/L=Barueri/ST=SP/C=US'

sudo openssl ca -config /opt/cloudera/security/ca/intermediate/openssl_intermediate.cnf -extensions server_cert -days 3750 -notext -md sha256 -in /opt/cloudera/security/ca/intermediate/csr/$(hostname -f).server.csr.pem -out /opt/cloudera/security/ca/intermediate/certs/$(hostname -f).server.crt.pem -passin pass:serversecret -batch

在每个节点中创建CSR文件

在我的情况下,是cdh-master和cdh-datanode1。

将ca.tworpnet.crt.pem和int.tworpnet.crt.pem复制到节点。 

sudo mkdir -p /opt/cloudera/security/pki

sudo /usr/java/jdk1.8.0_181-amd64/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -storepass serversecret -dname "CN=$(hostname -f),OU=DAD,O=2RP Net,L=Barueri,ST=SP,C=BR" -storetype pkcs12 -ext san=dns:$(hostname -f)

sudo /usr/java/jdk1.8.0_181-amd64/bin/keytool -certreq -alias $(hostname -f) -keystore /opt/cloudera/security/pki/$(hostname -f).jks -file /opt/cloudera/security/pki/$(hostname -f).csr.pem -ext san=dns:$(hostname -f) -storepass serversecret -keypass serversecret -ext EKU=serverAuth,clientAuth

将最后一步创建的.csr.pem文件复制到cdh-master(CA)

在CA(cdh-master)内部,验证文件:

sudo openssl ca -config /opt/cloudera/security/ca/intermediate/openssl_intermediate.cnf -extensions usr_cert -days 3750 -notext -md sha256 -in  /opt/cloudera/security/ca/intermediate/csr/cdh-datanode1.internal.csr.pem -out  /opt/cloudera/security/ca/intermediate/certs/cdh-datanode1.internal.crt.pem -passin pass:serversecret -batch

将创建的crt.pem文件复制回该节点。

我已使用以下命令检查此文件的状态:

openssl x509 -in /opt/cloudera/security/pki/$(hostname -f).crt.pem -noout -text

在这种情况下,我注意到以下信息:

X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, SSL Server, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                32:C8:D4:95:30:DC:E2:58:72:24:2A:47:B2:65:D4:A2:B1:C9:1F:40
            X509v3 Authority Key Identifier: 
                keyid:AA:79:E6:60:24:9F:F9:0F:98:54:C8:D7:F3:08:A0:F9:77:75:81:1F

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
            X509v3 Subject Alternative Name: 
                DNS:cdh-datanode1.internal

准备JDK 

sudo cp /usr/java/jdk1.8.0_181-amd64/jre/lib/security/cacerts /usr/java/jdk1.8.0_181-amd64/jre/lib/security/jssecacerts

sudo /usr/java/jdk1.8.0_181-amd64/bin/keytool -storepasswd -keystore /usr/java/jdk1.8.0_181-amd64/jre/lib/security/jssecacerts -storepass changeit -new serversecret

sudo /usr/java/jdk1.8.0_181-amd64/bin/keytool -importcert -alias rootca -keystore /usr/java/jdk1.8.0_181-amd64/jre/lib/security/jssecacerts  -file /opt/cloudera/security/pki/ca.tworpnet.crt.pem -storepass serversecret -noprompt



sudo /usr/java/jdk1.8.0_181-amd64/bin/keytool -importcert -alias intca -keystore /usr/java/jdk1.8.0_181-amd64/jre/lib/security/jssecacerts  -file /opt/cloudera/security/pki/int.tworpnet.crt.pem -storepass serversecret -noprompt

sudo cat /opt/cloudera/security/pki/int.tworpnet.crt.pem >> /opt/cloudera/security/pki/$(hostname -f).crt.pem
Certificate was added to keystore

sudo /usr/java/jdk1.8.0_181-amd64/bin/keytool -importcert -alias $(hostname -f) -file /opt/cloudera/security/pki/$(hostname -f).crt.pem -keystore /opt/cloudera/security/pki/$(hostname -f).jks -storepass serversecret -keypass serversecret -noprompt

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).crt.pem /opt/cloudera/security/pki/agent.pem

创建链接:

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/node.jks

设置Cloudera Manager

在每个节点中完成上述所有步骤之后,我在以下步骤中更改了Cloudera:

  1. Cloudera Manager TLS / SSL服务器JKS密钥库文件位置=> /opt/cloudera/security/pki/node.jks
  2. Cloudera Manager TLS / SSL服务器JKS密钥库文件密码=> serversecret
  3. 设置 true 该项:对管理控制台使用TLS加密

在Cloudera Management Services的SSL Truststore属性中

  1. TLS / SSL客户端信任库文件位置=> /usr/java/jdk1.8.0_181-amd64/jre/lib/security/jssecacerts
  2. Cloudera Manager Server TLS / SSL证书信任存储密码=> serversecret

下一步将产生错误:

  

sudo服务cloudera-scm-server重新启动

我尝试连接几分钟,直到等到cloudera重新启动所有服务,但仍然出现错误:没有通用的密码套件

请,你们有什么解决办法的想法吗?或者也许指出我错过的地方。

先谢谢了。

0 个答案:

没有答案
相关问题
最新问题