Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.
Ranger KMS with KTS의 TLS를 enable하고 restart할때 아래와 같은 오류가 발생되면서 start에 실패하는 경우가 있는데 원인은 Ranger KMS with KTS가 내부적으로 Key Trustee Server와 TLS통신을 하는데 Ranger KMS with KTS서버의 truststore에 등록된 Key Trustee Server서버의 인증서 유효기간이 만료된 경우 일 수 있어 등록된 인증서의 유효기간을 확인해 보고 필요시 Key Trustee Server서버의 사설인증서를 발급해서 Ranger KMS with KTS서버로 복사후 truststore 에 import하여 준다.
(특히, Ranger KMS with Key Trustee Server의 "Enable TLS/SSL for Ranger KMS server with KTS"가 비활성화 되어 있으면 Ranger에서 변경한 cm_kms의 변경사항이 Client에 전달되지 않아 반영되지 않는다)
* 조치방법(Key Trustee Server노드에서 인증서를 새로 발급하고 이를 Ranger KMS with KTS의 truststore파일에 등록해준다)
--- 인증서 정보 확인----
1. Key Trustee Server의 인증서 확인
- sudo openssl x509 -in /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.pem -text -noout
2. truststore파일의 인증서 목록 확인
- sudo keytool -keystore /opt/cloudera/security/certs/truststore -storepass changeit -list -v
--------Key Trustee Server의 active, passive에서 각각 수행한다.
3.1. ssl-cert-keytrustee용 비밀키 생성및 CSR생성
<active노드에서>
- sudo openssl genrsa -out /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key 2048
- sudo openssl req -new -key /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key -out /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.csr
<passive노드에서>
- sudo openssl genrsa -out /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key 2048
- sudo openssl req -new -key /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key -out /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.csr
3.2 ssl-cert-keytrustee용 신규 인증서 생성
<active노드에서>
- sudo openssl x509 -req -days 3650 -in /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.csr -signkey /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key -out /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.pem
<passive노드에서>
- sudo openssl x509 -req -days 3650 -in /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.csr -signkey /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key -out /var/lib/keytruste
3.3. Cloudera Manager Console에서 Key Trustee Server(2곳, active, passive)의 설정을 아래와 같이 변경하고 각 서비스를 restart해준다.
- Active Key Trustee Server TLS/SSL Server Certificate File (PEM Format):
/var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem -> /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.pem
- Active Key Trustee Server TLS/SSL Server Private key File (PEM Format):
/var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem -> /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key
- Passive Key Trustee Server TLS/SSL Server Certificate File (PEM Format):
/var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem -> /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.pem
- Passive Key Trustee Server TLS/SSL Server Private key File (PEM Format):
/var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem -> /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk2.key
-------KTS의 인증서를 Ranger KMS with KTS로 복사및 Ranger KMS with KTS의 truststore파일에 import
4.1. KTS의 active노드에 있는 /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.pem를 cp로 active-ssl-cert-keytrustee2.pem로 만든 후
- Ranger KMS with KTS #1노드의 /home/hadoop에 복사
- Ranger KMS with KTS #2노드의 /home/hadoop에 복사
4.2. KTS의 passive노드에 있는 /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee2.pem를 cp로 passive-ssl-cert-keytrustee2.pem로 만든 후
- Ranger KMS with KTS #1노드의 /home/hadoop/에 복사
- Ranger KMS with KTS #2노드의 /home/hadoop/에 복사
- sudo keytool -importcert -keystore /opt/cloudera/security/certs/truststore -file /home/hadoop/active-ssl-cert-keytrustee2.pem -alias activektca
- sudo keytool -importcert -keystore /opt/cloudera/security/certs/truststore -file /home/hadoop/passive-ssl-cert-keytrustee2.pem -alias passivektca
- sudo keytool -importcert -keystore /opt/cloudera/security/certs/truststore -file /home/hadoop/active-ssl-cert-keytrustee2.pem -alias activektca
- sudo keytool -importcert -keystore /opt/cloudera/security/certs/truststore -file /home/hadoop/passive-ssl-cert-keytrustee2.pem -alias passivektca
4.4.Cloudera Manager Console에서 Ranger KMS with KTS의 TLS를 "Enable TLS/SSL for Ranger KMS Server with KTS"를 enable시키고 노드 2곳 모두 restart해준다
*오류 내용
ERROR TrusteeKeyProviderConfiguration FingerPrint lookup on a KTS server: sunsecurity.validator.ValidatorException: PKIX apth buildingfaile: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target