3.4. Java Keystores and Truststores

Java Keystore File for TLS

Access to the Presto coordinator must be through HTTPS when using Kerberosand LDAP authentication. The Presto coordinator uses a Java Keystore file for its TLS configuration. These keys aregenerated using keytool and stored in a Java Keystore file for thePresto coordinator.

The alias in the keytool command line should match the principal that thePresto coordinator will use.

You’ll be prompted for the first and last name. Use the Common Name that willbe used in the certificate. In this case, it should be the unqualified hostnameof the Presto coordinator. In the following example, you can see this in the promptthat confirms the information is correct:

  1. keytool -genkeypair -alias presto -keyalg RSA -keystore keystore.jks
  2. Enter keystore password:
  3. Re-enter new password:
  4. What is your first and last name?
  5.   [Unknown]:  presto-coordinator.example.com
  6. What is the name of your organizational unit?
  7.   [Unknown]:
  8. What is the name of your organization?
  9.   [Unknown]:
  10. What is the name of your City or Locality?
  11.   [Unknown]:
  12. What is the name of your State or Province?
  13.   [Unknown]:
  14. What is the two-letter country code for this unit?
  15.   [Unknown]:
  16. Is CN=presto-coordinator.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  17.   [no]:  yes
  18.  
  19. Enter key password for <presto>
  20.         (RETURN if same as keystore password):

Java Truststore File for TLS

Truststore files contain certificates of trusted TLS/SSL servers, or ofCertificate Authorities trusted to identify servers. For securing accessto the Presto coordinator through HTTPS the clients can configure truststores.For the Presto CLI to trust the Presto coordinator, the coordinator’s certificatemust be imported to the CLI’s truststore.

You can either import the certificate to the default Java truststore, or to acustom truststore. You should be careful if you choose to use the defaultone, since you may need to remove the certificates of CAs you do not deem trustworthy.

You can use keytool to import the certificate to the truststore.In the example, we are going to import presto_certificate.cer to a customtruststore presto_trust.jks, and you will get a prompt asking if the certificatecan be trusted or not.

  1. $ keytool -import -v -trustcacerts -alias presto_trust -file presto_certificate.cer -keystore presto_trust.jks -keypass <truststore_pass>

Troubleshooting

Java Keystore File Verification

Verify the password for a keystore file and view its contents using keytool.

  1. $ keytool -list -v -keystore /etc/presto/presto.jks