修改core-site.xml

  1. <property>
  2.   <name>hadoop.security.key.provider.path</name>
  3.   <value>kms://http@localhost:9600/kms</value>
  4.   <description>
  5.     The KeyProvider to use when interacting with encryption keys used
  6.     when reading and writing to an encryption zone.
  7.   </description>
  8. </property>

修改kms-site.xml

  1.  <property>
  2.      <name>hadoop.kms.key.provider.uri</name>
  3.      <value>jceks://file@/${user.home}/kms.keystore</value>
  4.   </property>
  6.   <property>
  7.     <name>hadoop.security.keystore.java-keystore-provider.password-file</name>
  8.     <value>kms.keystore.password</value>
  9.   </property>

创建密钥容器keystore

密钥容器文件默认在/root目录下,需要保存到命令执行的用户目录(user.home)下,例如/home/hadoop等

  1. keytool -genkey -alias 'kmskey' -keystore /root/kms.jks -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass 123456 -storepass 123456 -validity 180

创建密钥容器访问口令存储文件

在HADOOP_HOME/etc/hadoop目录下执行如下命令
echo 123456 > /opt/kms.keystore.password