hkropp/cre

## cre
# mergin keytabs
$ ktutil
ktutil:  rkt /etc/security/keytabs/httpfs.service.keytab
ktutil:  rkt /etc/security/keytabs/spnego.service.keytab
ktutil:  wkt /etc/security/keytabs/httpfs-http.service.keytab
ktutil:  quit


ktutil
addent -password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC
- enter password for username -
wkt username.keytab
q

-k == kvno
create service principal / service 1
http://web.mit.edu/kerberos/krb5-1.13/doc/user/user_commands/kvno.html

Encryption Types: http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#encryption-types

kadmin.local -q "addprinc -pw hadoop $principal"
kadmin.local -q "addprinc -randkey $principal"
kadmin.local -q "xst -k $tmpKeytabFile $principal"


--- DOES CHANGE THE PASSOWORD WHEN CREATING THE KEYTAB ---
$ kadmin.local -q "xst -k /home/hdfs-user/hdfs-user.keytab hdfs-user@MYCORP.NET"

!!! use -norandkey to not randomize the password !!!:
$ kadmin.local -q "xst -norandkey -k /home/hdfs-user/hdfs-user.keytab hdfs-user@MYCORP.NET"

=> TO CHANGE BACK THE PASSWORD (!!INVALIDATES KEYTAB!!)
$ kadmin.local -q "cpw -pw hadoop hdfs-user"

--- DOES NOT CHANGE THE PASSWORD WHEN CREATING THE KEYTAB ---
[root@one ~]# ktutil
ktutil:  addent -password -p data_artist01@MYCORP.NET -k 0 -e aes256-cts-hmac-sha1-96
ktutil:  addent -password -p data_artist01@MYCORP.NET -k 1 -e aes128-cts-hmac-sha1-96
ktutil:  addent -password -p data_artist01@MYCORP.NET -k 2 -e des3-cbc-sha1
ktutil:  addent -password -p data_artist01@MYCORP.NET -k 2 -e arcfour-hmac
ktutil:  wkt data_artist01.keytab
ktutil:  q

[root@one ~]# klist -kte data_artist01.keytab
Keytab name: FILE:data_artist01.keytab

## ldaps
export LDAPTLS_CACERT=/etc/root_ca.pem;
ldapsearch -Z -v -x -d8 -D 'cn=BindUser,OU=Users,DC=my,DC=corp,DC=net' -b DC=my,DC=corp,DC=net -W -H ldaps://my.corp.net cn=user1

## openssl-stuff
# convert from DER form to PEM form
openssl x509 -inform DER -in yourdownloaded.crt -out outcert.pem -text

# test connection
openssl s_client -host 01.cloud.hortonworks.com -port 8443

# read certificate
openssl x509 -in certs/ca.crt -text -noout

# create key and cert in one command
openssl req  -nodes -new -x509  -keyout server.key -out server.cert


# Export SSL Keychain
echo "" | openssl s_client -host <host> -port 636 -showcerts | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' > /root/certs.pem
# Import Keychain into Java Keystore
keytool -import -alias ldap_certs -keystore /etc/pki/..../cacerts -file /root/certs.pem


# Convert pem to pkcs12
# need private key of the <name>.pem of the host
openssl pkcs12 -export -out <name>.pkcs12 -in <name>.pem -inkey <private>.key

# Import key to keystore
keytool -v -importkeystore -srckeystore <name>.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS


## ssl-keytool-stuff
# add password to key (jetty for exmaple needs keys with password)
openssl rsa -in 01.cloud.hortonworks.com.key -des3 -out 01.cloud.hortonworks.com.key.pw -passout pass:horton

# wirte out certificate
openssl pkcs12 -export -in 01.cloud.hortonworks.com.crt -inkey 01.cloud.hortonworks.com.key \
-certfile 01.cloud.hortonworks.com.crt -out https.crt -password file:pass.txt -passin pass:horton

# add to truststore
/usr/jdk64/jdk1.8.0_40/bin/keytool -import -alias 'master-crt' -storetype 'pkcs12' -keystore '/var/lib/ambari-server/keys/keystore.p12' \
-file '/etc/ambari-server/conf/01.cloud.hortonworks.com.crt' -storepass 'horton' -noprompt

# creat pkcs12 store with openssl
# (password files (locations) can not be the same !!)
openssl pkcs12 -export -in '/var/lib/ambari-server/keys/https.crt' -inkey '/var/lib/ambari-server/keys/https.key'
-certfile '/var/lib/ambari-server/keys/https.crt' -out '/var/lib/ambari-server/keys/https.keystore.p12'
-password file:'/var/lib/ambari-server/keys/https.pass.txt' -passin file:'/var/lib/ambari-server/keys/pass.txt'


# use keytool to create keystore and export crt and import to cacert
keytool -genkey -keyalg RSA -alias hive -keystore hive.jks -storepass password -validity 360
-keysize 2048 -dname "CN=sandbox.hortonworks.com, OU=Eng, O=Hortonworks, L=Palo Alto, ST=CA, C=US" -keypass password

keytool -exportcert -file hive.crt -keystore hive.jks -alias hive
-storepass password -keypass password

keytool -import -file hive.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
-storepass changeit -alias hive

# impor key from openssl to keystore
openssl pkcs12 -export -in vhdp0001_swe1.crt -inkey vhdp0001_swe1.key > vhdp0001_swe1.p12
keytool -importkeystore -destkeystore keystore.jks -srckeystore vhdp0001_swe1.p12 -srcstoretype pkcs12 -destalias rangeradmin -alias 1

openssl pkcs12 -export -in /root/.ssh/srv.crt -inkey /root/.ssh/srv.key  \
-out /root/.ssh/srv.p12 -name host \
-certfile /root/.ssh/DigiCertCA.crt \
-caname DigiCertCA \
-chain ??
	# mergin keytabs
	$ ktutil
	ktutil: rkt /etc/security/keytabs/httpfs.service.keytab
	ktutil: rkt /etc/security/keytabs/spnego.service.keytab
	ktutil: wkt /etc/security/keytabs/httpfs-http.service.keytab
	ktutil: quit


	ktutil
	addent -password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC
	- enter password for username -
	wkt username.keytab
	q

	-k == kvno
	create service principal / service 1
	http://web.mit.edu/kerberos/krb5-1.13/doc/user/user_commands/kvno.html

	Encryption Types: http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#encryption-types

	kadmin.local -q "addprinc -pw hadoop $principal"
	kadmin.local -q "addprinc -randkey $principal"
	kadmin.local -q "xst -k $tmpKeytabFile $principal"


	--- DOES CHANGE THE PASSOWORD WHEN CREATING THE KEYTAB ---
	$ kadmin.local -q "xst -k /home/hdfs-user/hdfs-user.keytab hdfs-user@MYCORP.NET"

	!!! use -norandkey to not randomize the password !!!:
	$ kadmin.local -q "xst -norandkey -k /home/hdfs-user/hdfs-user.keytab hdfs-user@MYCORP.NET"

	=> TO CHANGE BACK THE PASSWORD (!!INVALIDATES KEYTAB!!)
	$ kadmin.local -q "cpw -pw hadoop hdfs-user"

	--- DOES NOT CHANGE THE PASSWORD WHEN CREATING THE KEYTAB ---
	[root@one ~]# ktutil
	ktutil: addent -password -p data_artist01@MYCORP.NET -k 0 -e aes256-cts-hmac-sha1-96
	ktutil: addent -password -p data_artist01@MYCORP.NET -k 1 -e aes128-cts-hmac-sha1-96
	ktutil: addent -password -p data_artist01@MYCORP.NET -k 2 -e des3-cbc-sha1
	ktutil: addent -password -p data_artist01@MYCORP.NET -k 2 -e arcfour-hmac
	ktutil: wkt data_artist01.keytab
	ktutil: q

	[root@one ~]# klist -kte data_artist01.keytab
	Keytab name: FILE:data_artist01.keytab
	export LDAPTLS_CACERT=/etc/root_ca.pem;
	ldapsearch -Z -v -x -d8 -D 'cn=BindUser,OU=Users,DC=my,DC=corp,DC=net' -b DC=my,DC=corp,DC=net -W -H ldaps://my.corp.net cn=user1
	# convert from DER form to PEM form
	openssl x509 -inform DER -in yourdownloaded.crt -out outcert.pem -text

	# test connection
	openssl s_client -host 01.cloud.hortonworks.com -port 8443

	# read certificate
	openssl x509 -in certs/ca.crt -text -noout

	# create key and cert in one command
	openssl req -nodes -new -x509 -keyout server.key -out server.cert


	# Export SSL Keychain
	echo "" \| openssl s_client -host <host> -port 636 -showcerts \| awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' > /root/certs.pem
	# Import Keychain into Java Keystore
	keytool -import -alias ldap_certs -keystore /etc/pki/..../cacerts -file /root/certs.pem


	# Convert pem to pkcs12
	# need private key of the <name>.pem of the host
	openssl pkcs12 -export -out <name>.pkcs12 -in <name>.pem -inkey <private>.key

	# Import key to keystore
	keytool -v -importkeystore -srckeystore <name>.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
	# add password to key (jetty for exmaple needs keys with password)
	openssl rsa -in 01.cloud.hortonworks.com.key -des3 -out 01.cloud.hortonworks.com.key.pw -passout pass:horton

	# wirte out certificate
	openssl pkcs12 -export -in 01.cloud.hortonworks.com.crt -inkey 01.cloud.hortonworks.com.key \
	-certfile 01.cloud.hortonworks.com.crt -out https.crt -password file:pass.txt -passin pass:horton

	# add to truststore
	/usr/jdk64/jdk1.8.0_40/bin/keytool -import -alias 'master-crt' -storetype 'pkcs12' -keystore '/var/lib/ambari-server/keys/keystore.p12' \
	-file '/etc/ambari-server/conf/01.cloud.hortonworks.com.crt' -storepass 'horton' -noprompt

	# creat pkcs12 store with openssl
	# (password files (locations) can not be the same !!)
	openssl pkcs12 -export -in '/var/lib/ambari-server/keys/https.crt' -inkey '/var/lib/ambari-server/keys/https.key'
	-certfile '/var/lib/ambari-server/keys/https.crt' -out '/var/lib/ambari-server/keys/https.keystore.p12'
	-password file:'/var/lib/ambari-server/keys/https.pass.txt' -passin file:'/var/lib/ambari-server/keys/pass.txt'


	# use keytool to create keystore and export crt and import to cacert
	keytool -genkey -keyalg RSA -alias hive -keystore hive.jks -storepass password -validity 360
	-keysize 2048 -dname "CN=sandbox.hortonworks.com, OU=Eng, O=Hortonworks, L=Palo Alto, ST=CA, C=US" -keypass password

	keytool -exportcert -file hive.crt -keystore hive.jks -alias hive
	-storepass password -keypass password

	keytool -import -file hive.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
	-storepass changeit -alias hive

	# impor key from openssl to keystore
	openssl pkcs12 -export -in vhdp0001_swe1.crt -inkey vhdp0001_swe1.key > vhdp0001_swe1.p12
	keytool -importkeystore -destkeystore keystore.jks -srckeystore vhdp0001_swe1.p12 -srcstoretype pkcs12 -destalias rangeradmin -alias 1

	openssl pkcs12 -export -in /root/.ssh/srv.crt -inkey /root/.ssh/srv.key \
	-out /root/.ssh/srv.p12 -name host \
	-certfile /root/.ssh/DigiCertCA.crt \
	-caname DigiCertCA \
	-chain ??