...
| Code Block |
|---|
#!/usr/bin/env bash
# Copyright (c) 2011 Cloudera, Inc. All rights reserved.
set -e
set -x
# Explicitly add RHEL5/6, SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH
CMF_USER=${CMF_PRINCIPAL%%\@*}
CMF_REALM=${CMF_PRINCIPAL##*\@}
KEYTAB_OUT=$1
PRINC=$2
MAX_RENEW_LIFE=$3
kinit -k -t $CMF_KEYTAB_FILE -p $CMF_PRINCIPAL
IPASERVER=`ipa env server|sed 's/ server: //g'`
IPACLIENT=`ipa env host|sed 's/ host: //g'`
if ipa service-find $PRINC; then
echo Service principle $PRINC found
else
echo Service principle $PRINC not created, creating
ipa service-add $PRINC --pac-type=NONE
fi
ipa service-allow-create-keytab --users=$CMF_USER --hosts=$IPACLIENT $PRINC || true
ipa service-allow-retrieve-keytab --users=$CMF_USER --hosts=$IPACLIENT $PRINC || true
if ipa service-show $PRINC | grep 'Keytab' | grep 'False'; then
echo Creating keytab for $PRINC for $KEYTAB_OUT
ipa-getkeytab -s $IPASERVER -p $PRINC -k $KEYTAB_OUT
else
echo Retrieving keytab for $PRINC for $KEYTAB_OUT
ipa-getkeytab -r -s $IPASERVER -p $PRINC -k $KEYTAB_OUT
fi
kdestroy
chmod 600 $KEYTAB_OUT |
...
named - Internet domain name server
...
certmonger
公钥体系,pki 是对于服务方,非对称密钥体系的公钥提供方的认证。
...
生成证书:
| Code Block |
|---|
openssl pkcs12 -export -name hdfs -passout pass:hadoop123 -in hdfs.pem.5 -inkey hdfs.key.5 -out hdfs.p12
keytool -importkeystore -srckeystore hdfs.p12 -srcstoretype PKCS12 -srcstorepass hadoop123 -destkeystore hdfs.jks -deststorepass hadoop123 -alias hdfs
keytool -importkeystore -srckeystore hdfs.jks -destkeystore hdfs.jks -deststoretype pkcs12
keytool -keystore hdfs.jks -import -file /etc/ipa/ca.crt -alias ipa-ca |