[root@hd1.dtstack.com hadoop]# cd /opt/hadoop/ [root@hd1.dtstack.com hadoop]# cd bin/ && vi on.sh #!/bin/bash path1=/opt/hadoop/bin hosts="hd1.dtstack.com hd3.dtstack.com hd2.dtstack.com" echo "===========begine install ca ===========" sh $path1/ca_install.sh echo "===========finish install ca ===========" echo "===========begine install https ===========" for host in $hosts do ssh -t $host "$path1/keystore.sh" done echo "===========finish install https ===========" 添加ca脚本 vi ca_install.sh #! /bin/bash path=/data/kerberos/hdfs_ca #集群中安装https hostnamess="hd1.dtstack.com hd3.dtstack.com hd2.dtstack.com" passwords=abc123 hostname1=`hostname` #ca证书创建，只需要在一个节点上创建 function make_CA(){ hostnames=$hostnamess password=$passwords echo 'make_CA begin ...' cd $path #删除之前可能产生的过期CA证书 rm -rf $path/hdfs_ca* #其中一台上生成CA，密码全部为abc123 /usr/bin/expect <<-EOF set timeout 10 spawn openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj /C=CN/ST=zhejiang/L=hangzhou/O=dtstack/OU=dtstack/CN=$hostname1 expect { "*phrase*" {send "$password\r"; exp_continue} "*phrase*" { send "$password\r"; exp_continue} } EOF #将生成的CA证书hdfs_ca_key、hdfs_ca_cert分发到其他节点上 for host in $hostnames; do echo "copy hadoop CA to $host:$path" ssh root@$host "mkdir -p /data/kerberos/hdfs_ca" scp hdfs_ca_* $host:$path done #rm -rf hdfs_ca* echo 'make_CA end ...' } make_CA 添加keystore脚本 vi keystore.sh #! /bin/bash path=/data/kerberos/hdfs_ca #集群中安装https keystore hostnamess="hadoop01.dtstack.com hadoop03.dtstack.com hadoop02.dtstack.com" passwords=abc123 current_hostnames="`hostname`" export.UTF-8 function make_certificate(){ current_hostname=$current_hostnames password=$passwords cd $path #keytool需要使用java环境 source /etc/profile #生成keystore #name="CN=$current_hostname, OU=dtstack, O=dtstack, L=hangzhou, ST=zhejiang, C=CN" /usr/bin/expect <<-EOF spawn keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=$current_hostname, OU=dtstack, O=dtstack, L=hangzhou, ST=zhejiang, C=CN" expect { "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} } EOF #添加CA到truststore /usr/bin/expect <<-EOF spawn keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert expect { "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} "*certificate*" {send "yes\r"; exp_continue} } EOF #从keystore中导出cert /usr/bin/expect <<-EOF spawn keytool -certreq -alias localhost -keystore keystore -file cert expect { "*password*" {send "$password\r"; exp_continue} } EOF #用CA对cert签名 /usr/bin/expect <<-EOF spawn openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial expect { "*phrase*" {send "$password\r"; exp_continue} } EOF #将CA的cert和用CA签名之后的cert导入keystore /usr/bin/expect <<-EOF spawn keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert expect { "*password*" {send "$password\r"; exp_continue} "*certificate*" {send "yes\r"; exp_continue} } EOF /usr/bin/expect <<-EOF spawn keytool -keystore keystore -alias localhost -import -file cert_signed expect { "*password*" {send "$password\r"; exp_continue} } EOF #将最终keystore,trustores放入合适的目录，并加上后缀jks #rm -rf /etc/security/https && mkdir -p /etc/security/https #chmod 755 /etc/security/https echo "install keystore、truststore to /data/kerberos/hdfs_ca/..." cp $path/keystore $path/keystore.jks cp $path/truststore $path/truststore.jks } echo "[+] execute hlk_each_host_install_https.sh begin ..." echo "hostnames:$hostnames" echo "current_hostname:$current_hostname" #每个节点获取CA证书签照 make_certificate echo "[+] execute hlk_each_host_install_https.sh end ..."