Encrypt the Oozie Keystore Password

Starting from Oozie, follow these steps to encrypt the keystore password when Oozie is configured to use SSL.
Note: Oozie is configured to use SSL by default on secure clusters.
  1. [OPTIONAL] Export the Hadoop credential store password as a system variable:
    $ export HADOOP_CREDSTORE_PASSWORD=password
  2. Add oozie.https.keystore.pass to the jceks keystore:
    $ hadoop credential create oozie.https.keystore.pass -provider jceks://path/to/oozie.jceks
    Enter the password:
    Enter the password again:
    oozie.https.keystore.pass has been successfully created.
    org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
  3. Once the jceks file is created, add the hadoop.security.credential.provider.path property to the oozie-site.xml file along with the path to the jceks file. The jceks path location can be maprfs or a local file (local-fs).
  4. Update the password property to use ***** instead of a word-readable password:
Note: You can use the same jceks file for storing both database and keystore passwords.