• MapReduce Service

mrs
  1. Help Center
  2. MapReduce Service
  3. User Guide
  4. MRS Manager Operation Guide
  5. Security Management
  6. Replacing HA Certificates

Replacing HA Certificates

Scenario

HA certificates are used to encrypt the communication between active/standby processes and high availability processes to ensure security. Replace the HA certificates on active and standby management nodes on MRS Manager to ensure product security.

The certificate file and key file can be generated by the users.

Impact on the System

The MRS Manager system must be restarted during the replacement and cannot be accessed or provide services.

Prerequisites

  • You have obtained the root-ca.crt root file and the root-ca.pem key file of the certificate to be replaced.
  • You have prepared a password, for example, Userpwd@123, for accessing the key file.

    The password must meet the following complexity requirements. Otherwise, security risks may be incurred.

    • The password must contain at least eight characters.
    • The password must contain at least four types of the following: uppercase letters, lowercase letters, digits, and special characters ~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=.

Procedure

  1. Log in to the active management node.
  2. Run the following commands to switch the user:

    sudo su - root

    su - omm

  3. Run the following command to generate root-ca.crt and root-ca.pem in the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory:

    sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=country --state=state --city=city --company=company --organize=organize --common-name=commonname --email=Administrator email address --password=password

    For example, run the following command to generate the files: sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=DE --state=eur --city=ber --company=dt --organize=IT --common-name=HADOOP.COM --email=abc@dt.com --password=Userpwd@123

    If the following information is displayed, the command is executed successfully:

    Generate root-ca pair success.

  4. On the active management node, run the following command as user omm to copy root-ca.crt and root-ca.pem to the ${BIGDATA_HOME}/om-0.0.1/security/certHA directory:

    cp -arp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* ${BIGDATA_HOME}/om-0.0.1/security/certHA

  5. Copy root-ca.crt and root-ca.pem generated on the active management node to ${BIGDATA_HOME}/om-0.0.1/security/certHA on the standby management node as user omm.
  6. Run the following command to generate an HA certificate and perform automatic replacement:

    sh ${BIGDATA_HOME}/om-0.0.1/sbin/replacehaSSLCert.sh

    Enter password as prompted and press Enter.

    Please input ha ssl cert password:

    If the following information is displayed, the HA certificate is replaced successfully:

    [INFO] Succeed to replace ha ssl cert.

  7. Run the following command to restart OMS.

    sh ${BIGDATA_HOME}/om-0.0.1/sbin/restart-oms.sh

    The following information is displayed:

    start HA successfully.

  8. Log in to the standby management node and switch to user omm. Repeat Step 6 to Step 7.

    Run the sh ${BIGDATA_HOME}/om-0.0.1/sbin/status-oms.sh command to check whether HAAllResOK of the management node is Normal. Access the MRS Manager again. If MRS Manager can be accessed, the operation is successful.