文档HOT
中文
注册
我要评分
文档获取效率
文档正确性
内容完整性
文档易理解
提交
在线提单
论坛求助

ZooKeeper TLS配置

本流程中未包含证书工具的详细使用方式,需提前了解Global Cache TLS配置中证书工具的配置文件含义。

  • CCM-ZK部署
    1. 获取口令密文(在每台ZooKeeper服务端节点执行)。
      cat /opt/gcache/secure/Certs/identity.ks

      密文内容格式如下:

      AAAAAgAAAAAAAAAAAAAAAQAAAAmfTmJhF91SS6/7xEZldZErWUrkuRtyiFbjfM0gAAAAAAEAAAEAAAAAAAAAGr2WPWfiMhmqBd1w/bsAfJ2q+QBtJbC0EsBJ
    2. 修改ZooKeeper配置文件(在每台ZooKeeper服务端节点执行)。
      vi /opt/apache-zookeeper-3.6.3-bin/conf/zoo.cfg
      在ZooKeeper的每个server节点下,修改zoo.cfg,增加以下字段。 
      secureClientPort=2281
ssl.protocol=TLSv1.2
ssl.enabledProtocols=TLSv1.2
ssl.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location= /opt/gcache/secure/Certs/keystore.jks
ssl.keyStore.password= 
    #步骤1获取到的口令密文
ssl.trustStore.location= /opt/gcache/secure/Certs/truststore.jks
ssl.trustStore.password= 
    #步骤1获取到的口令密文
ssl.switch=on 
    #on表示密码配置密文有效,off表示密码配置明文无效

      删除以下字段

      clientPort=2181
    3. 拷贝kmc密钥至ZooKeeper配置文件目录(在每台ZooKeeper服务端节点执行)。
      mkdir -p /opt/apache-zookeeper-3.6.3-bin/conf/keystore/
chmod 750 /opt/apache-zookeeper-3.6.3-bin/conf/keystore/
cp /opt/gcache/secure/kmc/kmc.primary.ks /opt/apache-zookeeper-3.6.3-bin/conf/keystore/zk_kmc_primary.ks
cp /opt/gcache/secure/kmc/kmc.standby.ks /opt/apache-zookeeper-3.6.3-bin/conf/keystore/zk_kmc_standby.ks
    4. 安装ZooKeeper安全加固补丁,将补丁boostkit-zk-secure.tar.gz上传到目录/opt/apache-zookeeper-3.6.3-bin,执行下如下命令安装(在每台ZooKeeper服务端节点执行)。
      cd /opt/apache-zookeeper-3.6.3-bin
tar xvf boostkit-zk-secure.tar.gz
cp /opt/apache-zookeeper-3.6.3-bin/build/jar/one-track-4-kmc-21.0.2.jar /opt/apache-zookeeper-3.6.3-bin/lib/one-track-4-kmc-21.0.2.jar
cp /opt/apache-zookeeper-3.6.3-bin/build/jar/boostkit-globalcache-zk-21.0.0.jar /opt/apache-zookeeper-3.6.3-bin/lib/boostkit-globalcache-zk-21.0.0.jar
    5. 修改ZooKeeper启动脚本zkServer.sh(在每台Zookeeper服务端节点执行)。
      sed -ri 's|org.apache.zookeeper.server.quorum.QuorumPeerMain|com.huawei.kunpeng.zookeeper.KunpengQuorumPeerMain|g' /opt/apache-zookeeper-3.6.3-bin/bin/zkServer.sh
    6. 将新增文件的权限赋给globalcacheop用户。
      chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin/conf/keystore/*
chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin/lib/*
    7. 重启ZooKeeper(在每台ZooKeeper服务端节点执行)。 
      1
2
3
      		 
      cd /opt/apache-zookeeper-3.6.3-bin/bin
sh zkServer.sh stop
sh zkServer.sh start
    8. 修改Global Cache配置文件(在所有节点执行)。
      vi /opt/gcache/conf/gcache.conf

      修改确认如下配置项(参考客户端和服务端中gcache.conf中的security单元下的配置根据环境进行更改配置)。

      [communicate]
zk_server_list = ceph1:2281,ceph2:2281,ceph3:2281 #端口号与步骤2中secureClientPort保持一致
[security]
tls_status = on
kmc_path = /opt/gcache/secure/kmc
cert_path = /opt/gcache/secure/Certs
  • BCM-ZK部署
    1. 获取口令密文(在每台ZooKeeper服务端节点执行)。
      cat /opt/gcache/secure/Certs/identity.ks

      密文内容格式如下:

      AAAAAgAAAAAAAAAAAAAAAQAAAAmfTmJhF91SS6/7xEZldZErWUrkuRtyiFbjfM0gAAAAAAEAAAEAAAAAAAAAGr2WPWfiMhmqBd1w/bsAfJ2q+QBtJbC0EsBJ
    2. 修改ZooKeeper配置文件(在每台ZooKeeper服务端节点执行)。
      vi /opt/apache-zookeeper-3.6.3-bin-bcm/conf/zoo.cfg
      在ZooKeeper的每个server节点下,修改zoo.cfg,增加以下字段。 
      secureClientPort=2282
ssl.protocol=TLSv1.2
ssl.enabledProtocols=TLSv1.2
ssl.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location= /opt/gcache/secure/Certs/keystore.jks
ssl.keyStore.password= 
    #步骤1获取到的口令密文
ssl.trustStore.location= /opt/gcache/secure/Certs/truststore.jks
ssl.trustStore.password= 
    #步骤1获取到的口令密文
ssl.switch=on 
    #on表示密码配置密文有效,off表示密码配置明文无效
      删除以下字段 
      clientPort=2181
    3. 拷贝kmc密钥至ZooKeeper配置文件目录(在每台ZooKeeper服务端节点执行)。
      mkdir -p /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/
chmod 750 /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/
cp /opt/gcache/secure/kmc/kmc.primary.ks /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/zk_kmc_primary.ks
cp /opt/gcache/secure/kmc/kmc.standby.ks /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/zk_kmc_standby.ks
    4. 安装ZooKeeper安全加固补丁,将补丁boostkit-zk-secure.tar.gz上传到目录/opt/apache-zookeeper-3.6.3-bin-bcm,执行下如下命令安装(在每台ZooKeeper服务端节点执行)。
      cd /opt/apache-zookeeper-3.6.3-bin-bcm
tar xvf boostkit-zk-secure.tar.gz
cp /opt/apache-zookeeper-3.6.3-bin-bcm/build/jar/one-track-4-kmc-21.0.2.jar /opt/apache-zookeeper-3.6.3-bin-bcm/lib/one-track-4-kmc-21.0.2.jar
cp /opt/apache-zookeeper-3.6.3-bin-bcm/build/jar/boostkit-globalcache-zk-21.0.0.jar /opt/apache-zookeeper-3.6.3-bin-bcm/lib/boostkit-globalcache-zk-21.0.0.jar
    5. 修改ZooKeeper启动脚本zkServer.sh(在每台Zookeeper服务端节点执行)。
      sed -ri 's|org.apache.zookeeper.server.quorum.QuorumPeerMain|com.huawei.kunpeng.zookeeper.KunpengQuorumPeerMain|g' /opt/apache-zookeeper-3.6.3-bin-bcm/bin/zkServer.sh
    6. 将新增文件的权限赋给globalcache用户。
      chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin-bcm/conf/keystore/*
chown globalcacheop:globalcache /opt/apache-zookeeper-3.6.3-bin-bcm/lib/*
    7. 重启ZooKeeper(在每台ZooKeeper服务端节点执行)。 
      1
2
3
      		 
      cd /opt/apache-zookeeper-3.6.3-bin-bcm/bin
sh zkServer.sh stop
sh zkServer.sh start
    8. 修改bcm.xml中的BCM ZK集群配置文件。
      vi /opt/gcache/conf/bcm.xml

      修改zk_server_list的端口号为2282(bcm.xml的配置方式详见bcm.xml说明

      修改bcm.xml中的zk_server_list后,需要重新执行导入,详见验证Global Cache中的1.c1.d

父主题: TLS配置