Repository: oozie Updated Branches: refs/heads/master 8b5eedb5b -> 396fcc6c4
OOZIE-2318 Provide better solution for specifying SSL truststore to Oozie Client (rkanter) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/63d3cdfe Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/63d3cdfe Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/63d3cdfe Branch: refs/heads/master Commit: 63d3cdfe088029e81785f5485f0d7c72de1b1f12 Parents: 8b5eedb Author: Robert Kanter <[email protected]> Authored: Fri Sep 4 15:02:53 2015 -0700 Committer: Robert Kanter <[email protected]> Committed: Fri Sep 4 15:02:53 2015 -0700 ---------------------------------------------------------------------- docs/src/site/twiki/AG_Install.twiki | 24 ++++++++++++++---------- release-log.txt | 1 + 2 files changed, 15 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/63d3cdfe/docs/src/site/twiki/AG_Install.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki index 0ce2609..f043e7a 100644 --- a/docs/src/site/twiki/AG_Install.twiki +++ b/docs/src/site/twiki/AG_Install.twiki @@ -663,7 +663,7 @@ For example, if your Oozie server was at oozie.int.example.com, then you would d keytool -genkeypair -alias tomcat -keyalg RSA -dname "CN=oozie.int.example.com" -storepass password -keypass password </verbatim> If you're going to be using Oozie HA, it's simplest if you have a single certificate that all Oozie servers in the HA group can use. -To do that, you'll need to use a wild on the subdomain it belongs to: +To do that, you'll need to use a wildcard on the subdomain it belongs to: <verbatim> keytool -genkeypair -alias tomcat -keyalg RSA -dname "CN=*.int.example.com" -storepass password -keypass password </verbatim> @@ -671,9 +671,16 @@ The above would work on any server in the int.example.com domain. 2. Run the following command (as the Oozie user) to export a certificate file from the keystore file: <verbatim> -keytool -exportcert -alias tomcat -file path/to/where/I/want/my/certificate.cert +keytool -exportcert -alias tomcat -file path/to/anywhere/certificate.cert -storepass password </verbatim> -You'll need this later if you're using the Oozie client (or other Java-based client); otherwise, you can skip this step. + +3. Run the following command (as any user) to create a truststore containing the certificate we just exported: +<verbatim> +keytool -import -alias tomcat -file path/to/certificate.cert -keystore /path/to/anywhere/oozie.truststore -storepass password2 +</verbatim> +You'll need the =oozie.truststore= later if you're using the Oozie client (or other Java-based client); otherwise, you can skip +this step. The =storepass= value here is only used to verify or change the truststore and isn't typically required when only +reading from it; so it does not have to be given to users only using the client. ---++++To use a Certificate from a Certificate Authority @@ -706,16 +713,13 @@ This will configure Oozie to use HTTPS instead of HTTP. To revert back to HTTP, The first two steps are only necessary if you are using a Self-Signed Certificate; the third is required either way. Also, these steps must be done on every machine where you intend to use the Oozie Client. -1. Copy or download the .cert file onto the client machine +1. Copy or download the oozie.truststore file onto the client machine -2. Run the following command (as root) to import the certificate into the JRE's keystore. This will allow any Java program, -including the Oozie client, to connect to the Oozie Server using your self-signed certificate. +2. When using any Java-based program, you'll need to pass =-Djavax.net.ssl.trustStore= to the JVM. To +do this for the Oozie client: <verbatim> -sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts} +export OOZIE_CLIENT_OPTS='-Djavax.net.ssl.trustStore=/path/to/oozie.truststore' </verbatim> -Where ${JRE_cacerts} is the path to the JRE's certs file. It's location may differ depending on the Operating System, but its -typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME} -(you may want to create a backup copy of this file first). The default password is =changeit=. 3. When using the Oozie Client, you will need to use https://oozie.server.hostname:11443/oozie instead of http://oozie.server.hostname:11000/oozie -- Java will not automatically redirect from the http address to the https address. http://git-wip-us.apache.org/repos/asf/oozie/blob/63d3cdfe/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 9c1a102..88e03fc 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 4.3.0 release (trunk - unreleased) +OOZIE-2318 Provide better solution for specifying SSL truststore to Oozie Client (rkanter) OOZIE-2344 Enabling 'oozie.action.jobinfo.enable' doesn't inject the job information into the map/reduce job's configuration. (akshayrai09 via rkanter) OOZIE-2350 Package changes for release (shwethags) OOZIE-2347 Remove unnecessary new Configuration()/new jobConf() calls from oozie (puru)
