[ https://issues.apache.org/jira/browse/HDFS-8509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15114422#comment-15114422 ]
Wellington Chevreuil commented on HDFS-8509: -------------------------------------------- Here a summary of the changes proposed on the given patch: 1) *pom.xml* files changed on "*hadoop-project*", "*hadoop-common-project/hadoop-kms*" and "*hadoop-hdfs-project/hadoop-hdfs-httpfs*" projects were changed to refer to tomcat version 8; 2) Tomcat "*server.xml*" configuration file has some changes on Tomcat 8, in relation to Tomcat 6 (mainly some listener class definitions that had been changed and are not backward compatible), so it was needed to update this file on both "*hadoop-common-project/hadoop-kms*" and "*hadoop-hdfs-project/hadoop-hdfs-httpfs*" projects; 3) Changed "*hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh*" file to define new variable "*HTTPFS_SSL_KEY_PASS*" for the key password. For some reason, "*HTTPFS_SSL_ENABLED*" variable was not defined on *httpfs-env.sh* script, even though [documentation|https://hadoop.apache.org/docs/stable/hadoop-hdfs-httpfs/ServerSetup.html#HTTPFS_SSL_ENABLED] refers this should be set to *true* on this script in order to enable *SSL*. Had added this variable as comment to this script; 4) From Tomcat 7 onwards, *server.xml* connector defines *keyPass* attribute where a specific password for the key can be informed. Changed "*hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh*" script to copy the key password *(if)* defined on "*httpfs-env.sh*" script and set it properly on *server.xml* to be used by *httpfs* tomcat instance. Also noticed that "*hdfs-httpfs*" used to have a *server-xml* template for *SSL*, named "*ssl-server.xml.conf*", from where specific *SSL* options were copied to a *server.xml* file. While testing the changes for this patch, noticed that once *SSL* has been enabled, the standard *server.xml* would be _regenerated with the SSL options, but switching back to non SSL (by simply disabling the HTTPFS_SSL_ENABLED flag on httpfs-env.sh script) would not suffice to revert SSL_, as now the original *server.xml* file had been overwritten with *SSL* options. For this reason, introduced also a "*server.xml.conf*" template file, to _allow for easily rollback from SSL to non-SSL deployment_. > Support different passwords for key and keystore on HTTPFS using SSL. This > requires for a Tomcat version update. > ---------------------------------------------------------------------------------------------------------------- > > Key: HDFS-8509 > URL: https://issues.apache.org/jira/browse/HDFS-8509 > Project: Hadoop HDFS > Issue Type: Task > Components: webhdfs > Affects Versions: 2.7.0 > Reporter: Wellington Chevreuil > Assignee: Wellington Chevreuil > Priority: Minor > Attachments: HDFS-8509.patch > > > Currently, SSL for HTTPFS requires that keystore/truststore and key passwords > be the same. This is a limitation from Tomcat version 6, which didn't have > support for different passwords. From Tomcat 7, this is now possible by > defining "keyPass" property for "Connector" configuration on Tomcat's > server.xml file. -- This message was sent by Atlassian JIRA (v6.3.4#6332)