-
-
Save hkropp/0a0f4f212eae01bea517 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# mergin keytabs | |
$ ktutil | |
ktutil: rkt /etc/security/keytabs/httpfs.service.keytab | |
ktutil: rkt /etc/security/keytabs/spnego.service.keytab | |
ktutil: wkt /etc/security/keytabs/httpfs-http.service.keytab | |
ktutil: quit | |
ktutil | |
addent -password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC | |
- enter password for username - | |
wkt username.keytab | |
q | |
-k == kvno | |
create service principal / service 1 | |
http://web.mit.edu/kerberos/krb5-1.13/doc/user/user_commands/kvno.html | |
Encryption Types: http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#encryption-types | |
kadmin.local -q "addprinc -pw hadoop $principal" | |
kadmin.local -q "addprinc -randkey $principal" | |
kadmin.local -q "xst -k $tmpKeytabFile $principal" | |
--- DOES CHANGE THE PASSOWORD WHEN CREATING THE KEYTAB --- | |
$ kadmin.local -q "xst -k /home/hdfs-user/hdfs-user.keytab hdfs-user@MYCORP.NET" | |
!!! use -norandkey to not randomize the password !!!: | |
$ kadmin.local -q "xst -norandkey -k /home/hdfs-user/hdfs-user.keytab hdfs-user@MYCORP.NET" | |
=> TO CHANGE BACK THE PASSWORD (!!INVALIDATES KEYTAB!!) | |
$ kadmin.local -q "cpw -pw hadoop hdfs-user" | |
--- DOES NOT CHANGE THE PASSWORD WHEN CREATING THE KEYTAB --- | |
[root@one ~]# ktutil | |
ktutil: addent -password -p data_artist01@MYCORP.NET -k 0 -e aes256-cts-hmac-sha1-96 | |
ktutil: addent -password -p data_artist01@MYCORP.NET -k 1 -e aes128-cts-hmac-sha1-96 | |
ktutil: addent -password -p data_artist01@MYCORP.NET -k 2 -e des3-cbc-sha1 | |
ktutil: addent -password -p data_artist01@MYCORP.NET -k 2 -e arcfour-hmac | |
ktutil: wkt data_artist01.keytab | |
ktutil: q | |
[root@one ~]# klist -kte data_artist01.keytab | |
Keytab name: FILE:data_artist01.keytab |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export LDAPTLS_CACERT=/etc/root_ca.pem; | |
ldapsearch -Z -v -x -d8 -D 'cn=BindUser,OU=Users,DC=my,DC=corp,DC=net' -b DC=my,DC=corp,DC=net -W -H ldaps://my.corp.net cn=user1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# convert from DER form to PEM form | |
openssl x509 -inform DER -in yourdownloaded.crt -out outcert.pem -text | |
# test connection | |
openssl s_client -host 01.cloud.hortonworks.com -port 8443 | |
# read certificate | |
openssl x509 -in certs/ca.crt -text -noout | |
# create key and cert in one command | |
openssl req -nodes -new -x509 -keyout server.key -out server.cert | |
# Export SSL Keychain | |
echo "" | openssl s_client -host <host> -port 636 -showcerts | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' > /root/certs.pem | |
# Import Keychain into Java Keystore | |
keytool -import -alias ldap_certs -keystore /etc/pki/..../cacerts -file /root/certs.pem | |
# Convert pem to pkcs12 | |
# need private key of the <name>.pem of the host | |
openssl pkcs12 -export -out <name>.pkcs12 -in <name>.pem -inkey <private>.key | |
# Import key to keystore | |
keytool -v -importkeystore -srckeystore <name>.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# add password to key (jetty for exmaple needs keys with password) | |
openssl rsa -in 01.cloud.hortonworks.com.key -des3 -out 01.cloud.hortonworks.com.key.pw -passout pass:horton | |
# wirte out certificate | |
openssl pkcs12 -export -in 01.cloud.hortonworks.com.crt -inkey 01.cloud.hortonworks.com.key \ | |
-certfile 01.cloud.hortonworks.com.crt -out https.crt -password file:pass.txt -passin pass:horton | |
# add to truststore | |
/usr/jdk64/jdk1.8.0_40/bin/keytool -import -alias 'master-crt' -storetype 'pkcs12' -keystore '/var/lib/ambari-server/keys/keystore.p12' \ | |
-file '/etc/ambari-server/conf/01.cloud.hortonworks.com.crt' -storepass 'horton' -noprompt | |
# creat pkcs12 store with openssl | |
# (password files (locations) can not be the same !!) | |
openssl pkcs12 -export -in '/var/lib/ambari-server/keys/https.crt' -inkey '/var/lib/ambari-server/keys/https.key' | |
-certfile '/var/lib/ambari-server/keys/https.crt' -out '/var/lib/ambari-server/keys/https.keystore.p12' | |
-password file:'/var/lib/ambari-server/keys/https.pass.txt' -passin file:'/var/lib/ambari-server/keys/pass.txt' | |
# use keytool to create keystore and export crt and import to cacert | |
keytool -genkey -keyalg RSA -alias hive -keystore hive.jks -storepass password -validity 360 | |
-keysize 2048 -dname "CN=sandbox.hortonworks.com, OU=Eng, O=Hortonworks, L=Palo Alto, ST=CA, C=US" -keypass password | |
keytool -exportcert -file hive.crt -keystore hive.jks -alias hive | |
-storepass password -keypass password | |
keytool -import -file hive.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts | |
-storepass changeit -alias hive | |
# impor key from openssl to keystore | |
openssl pkcs12 -export -in vhdp0001_swe1.crt -inkey vhdp0001_swe1.key > vhdp0001_swe1.p12 | |
keytool -importkeystore -destkeystore keystore.jks -srckeystore vhdp0001_swe1.p12 -srcstoretype pkcs12 -destalias rangeradmin -alias 1 | |
openssl pkcs12 -export -in /root/.ssh/srv.crt -inkey /root/.ssh/srv.key \ | |
-out /root/.ssh/srv.p12 -name host \ | |
-certfile /root/.ssh/DigiCertCA.crt \ | |
-caname DigiCertCA \ | |
-chain ?? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment