Updating Flink Passwords on Ubuntu
When Platform Analytics is running in an Ubuntu operating system, and you need to update Flink TLS passwords, the automated update-encrypted-password script cannot be used. Instead, follow the manual procedures outlined below to regenerate the keystores and make other necessary updates.
Update the Flink REST Truststore
To update the Flink REST Truststore, you must preserve the ca.keystore but export the signed root certificate to a new truststore and move the new truststore to the appropriate location.
1. Run a the following keytool command to export the signed root certificate from the ca.keystore.
keytool -exportcert -keystore <ca name>.keystore -alias <ca alias> -storepass <ca keystore password> -file <ca file name>.cer
 |
Sample Command:
keytool -exportcert -keystore ca.keystore -alias ca -storepass cakeystorepw -file ca.cer
|
2. Run the following keytool command to create a new ca.truststore file and password. The truststore will contain the signed root certificate.
keytool -importcert -keystore <ca name>.truststore -alias <ca alias> -storepass <new truststore password> -file <ca file name>.cer -noprompt
|
|
Sample Command:
keytool -importcert -keystore ca.truststore -alias ca -storepass changedpw -file ca.cer -noprompt
|
3. Move the new truststore to the following location in your Platform Analytics installation directory and rename it:
<installation directory>/flink/flink-certs/rest.truststore
4. In the flink-1.11/conf/flink-conf.yaml file located in your Platform Analytics installation directory, update the security.ssl.rest.truststore-password parameter with the new plain text password.
5. To encrypt the new REST truststore password, run the update-encrypted-password:
./update-encrypted-password.sh fts <new password>
Update the Flink REST Server Certificate
In this procedure you will generate a new signed rest.keystore and move it to the appropriate location.
1. Run the following keytool command to create a new signed rest.keystore file and password.
keytool -genkeypair -alias <flink alias>.rest -keystore <rest name>.signed.keystore -dname "CN=<common name>" -ext "SAN=dns:<hostname>,ip:<IP address>" -storepass <new keystore password> -keyalg RSA -keysize 4096 -storetype PKCS12
In this command, note the following:
◦ dname – A common name parameter is sufficient.
◦ ext – A host name or IP address, or both.
|
|
Sample Command:
keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname "CN=localhost" -ext "SAN=dns:localhost,ip:127.0.0.1" -storepass changedpw -keyalg RSA -keysize 4096 -storetype PKCS12
|
2. Run the following keytool command to create a certificate signing request (CSR) file necessary to request a new certificate from the Certificate Authority.
keytool -certreq -alias <flink alias>.rest -keystore <rest name>.signed.keystore -storepass <new keystore password> -file <rest file name>.csr
|
|
Sample Command:
keytool -certreq -alias flink.rest -keystore rest.signed.keystore -storepass changedpw -file rest.csr
|
3. Run the following keytool command to generate a rest certificate that is signed by the root CA.
keytool -gencert -alias <ca alias> -keystore <ca name>.keystore -storepass <ca keystore password> -ext "SAN=dns:<hostname>,ip:<IP address>" -infile <rest file name>.csr -outfile <rest file name>.cer
|
|
Sample Command:
keytool -gencert -alias ca -keystore ca.keystore -storepass cakeystorepw -ext "SAN=dns:localhost,ip:127.0.0.1" -infile rest.csr -outfile rest.cer
|
4. Run the following keytool commands to import the CA and REST certificates into the signed rest keystore.
keytool -importcert -keystore <rest name>.signed.keystore -storepass <new keystore password> -file <ca file name>.cer -alias <ca alias> -noprompt
keytool -importcert -keystore <rest name>.signed.keystore -storepass <new keystore password> -file <rest file name>.cer -alias <flink alias>.rest -noprompt
|
|
Sample Commands:
keytool -importcert -keystore rest.signed.keystore -storepass changedpw -file ca.cer -alias ca -noprompt
keytool -importcert -keystore rest.signed.keystore -storepass changedpw -file rest.cer -alias flink.rest -noprompt
|
5. Move the new rest.signed.keystore to the following location in your Platform Analytics installation directory and rename it:
<installation directory>/flink/flink-certs/rest.keystore
6. In the flink-1.11/conf/flink-conf.yaml file located in your Platform Analytics installation directory, update the following parameters with the new plain text password:
◦ security.ssl.rest.keystore-password
◦ security.ssl.rest.key-password
Update the Flink REST Client Certificate
In this procedure you will generate a new signed client.keystore and move it to the appropriate location.
1. Run the following keytool command to create a new signed client.keystore file and password.
keytool -genkeypair -alias <flink alias>.client -keystore <client name>.signed.keystore -dname "CN=<common name>" -ext "SAN=dns:<hostname>,ip:<IP address>" -storepass <new keystore password> -keyalg RSA -keysize 4096 -storetype PKCS12
In this command, note the following:
◦ dname – A common name parameter is sufficient.
◦ ext – A host name or IP address, or both.
|
|
Sample Command:
keytool -genkeypair -alias flink.client -keystore client.signed.keystore -dname "CN=localhost" -ext "SAN=dns:localhost,ip:127.0.0.1" -storepass changedpw -keyalg RSA -keysize 4096 -storetype PKCS12
|
2. Run the following keytool command to create a certificate signing request (CSR) file necessary to request a new certificate from the Certificate Authority.
keytool -certreq -alias <flink alias>.client -keystore <client name>.signed.keystore -storepass <new keystore password> -file <client file name>.csr
|
|
Sample Command:
keytool -certreq -alias flink.client -keystore client.signed.keystore -storepass changedpw -file client.csr
|
3. Run the following keytool command to generate a client certificate that is signed by the root CA.
keytool -gencert -alias <ca alias> -keystore <ca name>.keystore -storepass <ca keystore password> -ext "SAN=dns:<hostname>,ip:<IP address>" -infile <client file name>.csr -outfile <client file name>.cer
|
|
Sample Command:
keytool -gencert -alias ca -keystore ca.keystore -storepass cakeystorepw -ext "SAN=dns:localhost,ip:127.0.0.1" -infile client.csr -outfile client.cer
|
4. Run the following keytool commands to import the CA and REST certificates into the signed client keystore.
keytool -importcert -keystore <client name>.signed.keystore -storepass <new keystore password> -file <ca file name>.cer -alias <ca alias> -noprompt
keytool -importcert -keystore <client name>.signed.keystore -storepass <new keystore password> -file <rest file name>.cer -alias <flink alias>.client -noprompt
|
|
Sample Commands:
keytool -importcert -keystore client.signed.keystore -storepass changedpw -file ca.cer -alias ca -noprompt
keytool -importcert -keystore client.signed.keystore -storepass changedpw -file client.cer -alias flink.client -noprompt
|
5. Move the new client.signed.keystore to the following location in your Platform Analytics installation directory and rename it:
<installation directory>/flink/flink-certs/client.keystore
6. To encrypt both the new client keystore password and client key password, run the update-encrypted-password twice as follows:
./update-encrypted-password.sh fks <new keystore password>
./update-encrypted-password.sh fk <new key password>