Refreshing TLS/SSL certificates

If you have TLS/SSL enabled for BDD, you can use the bdd-admin script to refresh your certificates, when needed.

For more information on refreshing your TLS/SSL certificates with bdd-admin, see cert.

Before beginning this procedure, verify that the password for $JAVA_HOME/jre/lib/security/cacerts is set to chageit.

To refresh your TLS/SSL certificates:

  1. Export the public key certificates from all Hadoop nodes running TLS/SSL- secured HDFS, YARN, Hive, and/or KMS.
    You can do this with the following command: 
    keytool -exportcert -alias <alias> -keystore <keystore_filename> -file <export_filename>
    Where:
    • <alias> is the certificate's alias.
    • <keystore_filename> is the absolute path to your keystore file. You can find this in Cloudera Manager/Ambari/MCS.
    • <export_filename> is the name of the file to export the keystore to.
  2. Copy all of the exported certificates to the directory on the Admin Server defined by HADOOP_CERTIFICATES_PATH in bdd.conf.
  3. On the Admin Server, go to $BDD_HOME/BDD_manager/bin and run: 
    ./bdd-admin.sh publish-config cert
When the script runs, it imports the certificates to the custom truststore file, then copies the truststore to $BDD_HOME/common/security/cacerts on all BDD nodes.