forked from docs/doc-exports
Yang, Tong
3f5759eed2
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com> Co-authored-by: Yang, Tong <yangtong2@huawei.com> Co-committed-by: Yang, Tong <yangtong2@huawei.com>
311 lines
12 KiB
HTML
311 lines
12 KiB
HTML
<a name="mrs_01_0621"></a><a name="mrs_01_0621"></a>
|
|
|
|
<h1 class="topictitle1">Example of Issuing a Certificate</h1>
|
|
<div id="body1599727232580"><p id="mrs_01_0621__en-us_topic_0000001219350641_p11561155113513">Generate the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1979762464011">generate_keystore.sh</strong> script based on the sample code and save the script to the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1777133013404">bin</strong> directory on the Flink client.</p>
|
|
<pre class="screen" id="mrs_01_0621__en-us_topic_0000001219350641_screen113431749105118">#!/bin/bash
|
|
|
|
KEYTOOL = ${JAVA_HOME}/bin/keytool
|
|
KEYSTOREPATH = "$FLINK_HOME/conf/"
|
|
CA_ALIAS = "ca"
|
|
CA_KEYSTORE_NAME = "ca.keystore"
|
|
CA_DNAME = "CN=Flink_CA"
|
|
CA_KEYALG = "RSA"
|
|
CLIENT_CONF_YAML = "$FLINK_HOME/conf/flink-conf.yaml"
|
|
KEYTABPRINCEPAL = ""
|
|
|
|
function getConf() {
|
|
if [$# - ne 2];
|
|
then
|
|
echo "invalid parmaters for getConf"
|
|
exit 1
|
|
fi
|
|
|
|
confName = "$1"
|
|
if [-z "$confName"];
|
|
then
|
|
echo "conf name is empty."
|
|
exit 2
|
|
fi
|
|
|
|
configFile = $FLINK_HOME / conf / client.properties
|
|
if [!-f $configFile];
|
|
then
|
|
echo $configFile " is not exist."
|
|
exit 3
|
|
fi
|
|
|
|
defaultValue = "$2"
|
|
cnt = $(grep $1 $configFile | wc - l)
|
|
if [$cnt - gt 1];
|
|
then
|
|
echo $confName " has multi values in "
|
|
$configFile
|
|
exit 4
|
|
elif[$cnt - lt 1];
|
|
then
|
|
echo $defaultValue
|
|
else
|
|
line = $(grep $1 $configFile)
|
|
confValue = $(echo "${line#*=}")
|
|
echo "$confValue"
|
|
fi
|
|
}
|
|
|
|
function createSelfSignedCA() {#
|
|
varible from user input
|
|
keystorePath = $1
|
|
storepassValue = $2
|
|
keypassValue = $3
|
|
|
|
# generate ca keystore
|
|
rm - rf $keystorePath / $CA_KEYSTORE_NAME
|
|
$KEYTOOL - genkeypair - alias $CA_ALIAS - keystore $keystorePath / $CA_KEYSTORE_NAME - dname $CA_DNAME - storepass $storepassValue - keypass $keypassValue - validity 3650 - keyalg $CA_KEYALG - keysize 3072 - ext bc = ca: true
|
|
if [$ ? -ne 0];
|
|
then
|
|
echo "generate ca.keystore failed."
|
|
exit 1
|
|
fi
|
|
|
|
# generate ca.cer
|
|
rm - rf "$keystorePath/ca.cer"
|
|
$KEYTOOL - keystore "$keystorePath/$CA_KEYSTORE_NAME" - storepass "$storepassValue" - alias $CA_ALIAS - validity 3650 - exportcert > "$keystorePath/ca.cer"
|
|
if [$ ? -ne 0];
|
|
then
|
|
echo "generate ca.cer failed."
|
|
exit 1
|
|
fi
|
|
|
|
# generate ca.truststore
|
|
rm - rf "$keystorePath/flink.truststore"
|
|
$KEYTOOL - importcert - keystore "$keystorePath/flink.truststore" - alias $CA_ALIAS - storepass "$storepassValue" - noprompt - file "$keystorePath/ca.cer"
|
|
if [$ ? -ne 0];
|
|
then
|
|
echo "generate ca.truststore failed."
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function generateKeystore() {#
|
|
get path / pass from input
|
|
keystorePath = $1
|
|
storepassValue = $2
|
|
keypassValue = $3
|
|
|
|
# get value from conf
|
|
aliasValue = $(getConf "flink.keystore.rsa.alias"
|
|
"flink")
|
|
validityValue = $(getConf "flink.keystore.rsa.validity"
|
|
"3650")
|
|
keyalgValue = $(getConf "flink.keystore.rsa.keyalg"
|
|
"RSA")
|
|
dnameValue = $(getConf "flink.keystore.rsa.dname"
|
|
"CN=flink.com")
|
|
SANValue = $(getConf "flink.keystore.rsa.ext"
|
|
"ip:127.0.0.1")
|
|
SANValue = $(echo "$SANValue" | xargs)
|
|
SANValue = "ip:$(echo "
|
|
$SANValue "| sed 's/,/,ip:/g')"
|
|
|
|
#
|
|
generate keystore
|
|
rm - rf $keystorePath / flink.keystore
|
|
$KEYTOOL - genkeypair - alias $aliasValue - keystore $keystorePath / flink.keystore - dname $dnameValue - ext SAN = $SANValue - storepass $storepassValue - keypass $keypassValue - keyalg $keyalgValue - keysize 3072 - validity 3650
|
|
if [$ ? -ne 0];then
|
|
echo "generate flink.keystore failed."
|
|
exit 1
|
|
fi
|
|
|
|
# generate cer
|
|
rm - rf $keystorePath / flink.csr
|
|
$KEYTOOL - certreq - keystore $keystorePath / flink.keystore - storepass $storepassValue - alias $aliasValue - file $keystorePath / flink.csr
|
|
if [$ ? -ne 0];then
|
|
echo "generate flink.csr failed."
|
|
exit 1
|
|
fi
|
|
|
|
# generate flink.cer
|
|
rm - rf $keystorePath / flink.cer
|
|
$KEYTOOL - gencert - keystore $keystorePath / ca.keystore - storepass $storepassValue - alias $CA_ALIAS - ext SAN = $SANValue - infile $keystorePath / flink.csr - outfile $keystorePath / flink.cer - validity 3650
|
|
if [$ ? -ne 0];then
|
|
echo "generate flink.cer failed."
|
|
exit 1
|
|
fi
|
|
|
|
#
|
|
import cer into keystore
|
|
$KEYTOOL - importcert - keystore $keystorePath / flink.keystore - storepass $storepassValue - file $keystorePath / ca.cer - alias $CA_ALIAS - noprompt
|
|
if [$ ? -ne 0];then
|
|
echo "importcert ca."
|
|
exit 1
|
|
fi
|
|
|
|
$KEYTOOL - importcert - keystore $keystorePath / flink.keystore - storepass $storepassValue - file $keystorePath / flink.cer - alias $aliasValue - noprompt;
|
|
if [$ ? -ne 0];then
|
|
echo "generate flink.truststore failed."
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function configureFlinkConf() {#
|
|
set config
|
|
if [-f "$CLIENT_CONF_YAML"];then
|
|
SSL_ENCRYPT_ENABLED = $(grep "security.ssl.encrypt.enabled"
|
|
"$CLIENT_CONF_YAML" | awk '{print $2}')
|
|
if ["$SSL_ENCRYPT_ENABLED" = "false"];then
|
|
|
|
sed - i s / "security.ssl.key-password:".*/"security.ssl.key-password:"\ "${keyPass}"/g
|
|
"$CLIENT_CONF_YAML"
|
|
if [$ ? -ne 0];then
|
|
echo "set security.ssl.key-password failed."
|
|
return 1
|
|
fi
|
|
|
|
sed - i s / "security.ssl.keystore-password:".*/"security.ssl.keystore-password:"\ "${storePass}"/g
|
|
"$CLIENT_CONF_YAML"
|
|
if [$ ? -ne 0];then
|
|
echo "set security.ssl.keystore-password failed."
|
|
return 1
|
|
fi
|
|
|
|
sed - i s / "security.ssl.truststore-password:".*/"security.ssl.truststore-password:"\ "${storePass}"/g
|
|
"$CLIENT_CONF_YAML"
|
|
if [$ ? -ne 0];then
|
|
echo "set security.ssl.keystore-password failed."
|
|
return 1
|
|
fi
|
|
|
|
echo "security.ssl.encrypt.enabled is false, set security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password success."
|
|
else
|
|
echo "security.ssl.encrypt.enabled is true, please enter security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password encrypted value in flink-conf.yaml."
|
|
fi
|
|
|
|
keystoreFilePath = "${keystorePath}" / flink.keystore
|
|
sed - i 's#'
|
|
"security.ssl.keystore:".*'#'
|
|
"security.ssl.keystore:"\
|
|
"$keystoreFilePath"
|
|
'#g'
|
|
"$CLIENT_CONF_YAML"
|
|
if [$ ? -ne 0];then
|
|
echo "set security.ssl.keystore failed."
|
|
return 1
|
|
fi
|
|
|
|
|
|
truststoreFilePath = "${keystorePath}/flink.truststore"
|
|
sed - i 's#'
|
|
"security.ssl.truststore:".*'#'
|
|
"security.ssl.truststore:"\
|
|
"$truststoreFilePath"
|
|
'#g'
|
|
"$CLIENT_CONF_YAML"
|
|
if [$ ? -ne 0];then
|
|
echo "set security.ssl.truststore failed."
|
|
return 1
|
|
fi
|
|
|
|
command - v sha256sum > /dev/null
|
|
if [$ ? -ne 0];then
|
|
echo "sha256sum is not exist, it will produce security.cookie with date +%F-%H-%M-%s-%N."
|
|
cookie = $(date + % F - % H - % M - % s - % N)
|
|
else
|
|
cookie = "$(echo "
|
|
$ {
|
|
KEYTABPRINCEPAL
|
|
}
|
|
"| sha256sum | awk '{print $1}')"
|
|
fi
|
|
|
|
sed - i s / "security.cookie:".*/"security.cookie:"\ "${cookie}"/g
|
|
"$CLIENT_CONF_YAML"
|
|
if [$ ? -ne 0];then
|
|
echo "set security.cookie failed."
|
|
return 1
|
|
fi
|
|
fi
|
|
return 0;
|
|
}
|
|
|
|
main() {
|
|
#check environment variable is set or not
|
|
if [-z $ {
|
|
FLINK_HOME + x
|
|
}];
|
|
then
|
|
echo "errro: environment variables are not set."
|
|
exit 1
|
|
fi
|
|
stty -echo
|
|
read -rp "Enter password:"
|
|
password
|
|
stty echo
|
|
echo
|
|
|
|
KEYTABPRINCEPAL = $(grep "security.kerberos.login.principal"
|
|
"$CLIENT_CONF_YAML" | awk '{print $2}')
|
|
if [-z "$KEYTABPRINCEPAL"];
|
|
then
|
|
echo "please config security.kerberos.login.principal info first."
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# get input
|
|
keystorePath = "$KEYSTOREPATH"
|
|
storePass = "$password"
|
|
keyPass = "$password"
|
|
|
|
#
|
|
generate self signed CA
|
|
createSelfSignedCA "$keystorePath"
|
|
"$storePass"
|
|
"$keyPass"
|
|
if [$ ? -ne 0];
|
|
then
|
|
echo "create self signed ca failed."
|
|
exit 1
|
|
fi
|
|
|
|
# generate keystore
|
|
generateKeystore "$keystorePath"
|
|
"$storePass"
|
|
"$keyPass"
|
|
if [$ ? -ne 0];
|
|
then
|
|
echo "create keystore failed."
|
|
exit 1
|
|
fi
|
|
|
|
echo "generate keystore/truststore success."
|
|
|
|
#
|
|
set flink config
|
|
configureFlinkConf "$keystorePath"
|
|
"$storePass"
|
|
"$keyPass"
|
|
if [$ ? -ne 0];
|
|
then
|
|
echo "configure Flink failed."
|
|
exit 1
|
|
fi
|
|
|
|
return 0;
|
|
}
|
|
|
|
#
|
|
the start main
|
|
main "$@"
|
|
|
|
exit 0</pre>
|
|
<div class="note" id="mrs_01_0621__en-us_topic_0000001219350641_note4201531153619"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_0621__en-us_topic_0000001219350641_p8982856103610">Run the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1330144714018">sh generate_keystore.sh </strong><em id="mrs_01_0621__en-us_topic_0000001219350641_i1901184644017"><password></em> command. <em id="mrs_01_0621__en-us_topic_0000001219350641_i1098153154016"><password></em> is user-defined.</p>
|
|
<ul id="mrs_01_0621__en-us_topic_0000001219350641_ul189821056183610"><li id="mrs_01_0621__en-us_topic_0000001219350641_li13983185643611">If <em id="mrs_01_0621__en-us_topic_0000001219350641_i13154624410"><password></em> contains the special character <strong id="mrs_01_0621__en-us_topic_0000001219350641_b124184620442">$</strong>, use the following method to avoid the password being escaped: <strong id="mrs_01_0621__en-us_topic_0000001219350641_b65646184414">sh generate_keystore.sh 'Bigdata_2013'</strong>.</li><li id="mrs_01_0621__en-us_topic_0000001219350641_li2984556103618">The password cannot contain <strong id="mrs_01_0621__en-us_topic_0000001219350641_b831756114418">#</strong>.</li><li id="mrs_01_0621__en-us_topic_0000001219350641_li1452416241947">Before using the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1985818261476">generate_keystore.sh</strong> script, run the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1158113018719">source bigdata_env</strong> command in the client directory.</li><li id="mrs_01_0621__en-us_topic_0000001219350641_li17178368611">When the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1390175118193">generate_keystore.sh</strong> script is used, the absolute paths of <strong id="mrs_01_0621__en-us_topic_0000001219350641_b128038553193">security.ssl.keystore</strong> and <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1981115841918">security.ssl.truststore</strong> are automatically filled in <strong id="mrs_01_0621__en-us_topic_0000001219350641_b74478662015">flink-conf.yaml</strong>. Therefore, you need to manually change the paths to relative paths as required. Example:<ul id="mrs_01_0621__en-us_topic_0000001219350641_ul144252366612"><li id="mrs_01_0621__en-us_topic_0000001219350641_li089516610590">Change <strong id="mrs_01_0621__en-us_topic_0000001219350641_b7981131513201">/opt/client/Flink/flink/conf//flink.keystore</strong> to <strong id="mrs_01_0621__en-us_topic_0000001219350641_b13405122152014">security.ssl.keystore: ssl/flink.keystore</strong>.</li><li id="mrs_01_0621__en-us_topic_0000001219350641_li855519115718">Change <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1143320326202">/opt/client/Flink/flink/conf//flink.truststore</strong> to <strong id="mrs_01_0621__en-us_topic_0000001219350641_b2366535152016">security.ssl.truststore: ssl/flink.truststore</strong>.</li><li id="mrs_01_0621__en-us_topic_0000001219350641_li63835817717">Create the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1914082262118">ssl</strong> folder in any directory on the Flink client. For example, create the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b7336202719212">ssl</strong> folder in the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b3761639122118">/opt</strong><strong id="mrs_01_0621__en-us_topic_0000001219350641_b476123916216"></strong><strong id="mrs_01_0621__en-us_topic_0000001219350641_b13761639202116">/client/Flink/flink/conf/</strong> directory and save the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b195514314219">flink.keystore</strong> and <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1561917456213">flink.truststore</strong> files to the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b12548447152110">ssl</strong> folder.</li><li id="mrs_01_0621__en-us_topic_0000001219350641_li5105198121512">When running the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b1579914576204">yarn-session</strong> or <strong id="mrs_01_0621__en-us_topic_0000001219350641_b65982117214">flink run -m yarn-cluster</strong> command, run the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b3798155216">yarn-session -t ssl -d</strong> or <strong id="mrs_01_0621__en-us_topic_0000001219350641_b22019107213">flink run -m yarn-cluster -yt ssl -d WordCount.jar</strong> command in the same directory as the <strong id="mrs_01_0621__en-us_topic_0000001219350641_b183192173219">ssl</strong> folder.</li></ul>
|
|
</li></ul>
|
|
</div></div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_0620.html">Reference</a></div>
|
|
</div>
|
|
</div>
|
|
|