Because the SDC runtime directory is inside of the parcel directory, the process of installing JKS Credential Store is a little bit different than for Tarball and RPM installation described in our documentation here.
Please note that we do not recommend using JKS Credential Store in a production environment from a security point of view (the credential files are stored in the same file system). For a production environment, you can also check how to configure Vault Credential Store or CyberArk Credential Store in the SDC.
STEP 1. CHANGING PROPERTIES IN credential-stores.properties FILE (inside of the parcel directory!):
For the SDC installation with Cloudera Manager, the Java keystore file is created in the configuration directory inside of the parcel by default. However, the file needs to be outside of the parcel directory so the SDC could access it. The user has to create an external directory and change the properties in credential-stores.properties file (in /opt/cloudera/parcels/STREAMSETS_DATACOLLECTOR-<sdc_version>/etc/credential-stores.properties) first.
Example:
- create an external directory /etc/sdc-jks
mkdir /etc/sdc-jks- change credential-stores.properties file in /opt/cloudera/parcels/STREAMSETS_DATACOLLECTOR/etc (Runtime Directory: can be found in the SDC UI --> Administration icon --> SDC Directories) to new directory:
credentialStore.jks.config.keystore.file=/etc/sdc-jks/jks-credentialStore.pkcs12
- if the user wants to change the password or Java Keystore Credential store type from PKCS12 to JCEKS, there are two other properties, which need to be changed in credential-stores.properties file:
credentialStore.jks.config.keystore.storePassword=differentThanDefault
credentialStore.jks.config.keystore.type=JCEKS
STEP 2. GENERATING JAVA KEYSTORE FILE
Use the jks-cs add command inside of the parcel directory (Runtime Directory: can be found in the SDC UI --> Administration icon --> SDC Directories) to add credentials to the Java keystore file.
Example:
- Go to the Runtime Directory /opt/cloudera/parcels/STREAMSETS_DATACOLLECTOR-2.7.2.0/
cd /opt/cloudera/parcels/STREAMSETS_DATACOLLECTOR-2.7.2.0/- Run:
bin/streamsets jks-cs add -i <storeId> -n <credential name> -c <credential value>- Now, you can find jks-credentialStore.pkcs12 file in /etc/sdc-jks/ directory.
3. SETTING PROPERTIES IN CLOUDERA MANAGER:
For the pipelines to find the correct file and use the correct password, all these properties have to be specified in the Cloudera Manager --> Data Collector Advanced Configuration Snippet (Safety Valve) for sdc.properties:
credentialStores=jks
credentialStore.jks.def
credentialStore.jks.config.keystore.type
credentialStore.jks.config.keystore.file
credentialStore.jks.config.keystore.storePassword
All these properties have to concur with the values set in the credential-stores.properties file in /opt/cloudera/parcels/STREAMSETS_DATACOLLECTOR-<sdc_version>/etc.
All these properties have to concur with the values set in the credential-stores.properties file in /opt/cloudera/parcels/STREAMSETS_DATACOLLECTOR-<sdc_version>/etc.
If the user wants to add, delete, or list values, the user must run the command from parcel directory.
May 29, 2020 01:31
