Encrypt the Oozie Keystore Password

Starting from Oozie 5.1.0.0, follow these steps to encrypt the keystore password when Oozie is configured to use SSL.
Note: Oozie 5.1.0.0 is configured to use SSL by default on secure clusters.
  1. [OPTIONAL] Export the Hadoop credential store password as a system variable:
    $ export HADOOP_CREDSTORE_PASSWORD=password
  2. Add oozie.service.jpaservice.jdbc.password to the jceks keystore:
    $ hadoop credential create oozie.https.keystore.pass -provider jceks://path/to/oozie.jceks
    Enter the password:
    Enter the password again:
    oozie.service.jpaservice.jdbc.password has been successfully created.
    org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
  3. Once the jceks file is created, add the hadoop.security.credential.provider.path property to the oozie-site.xml file along with the path to the jceks file. The jceks path location can be maprfs or a local file (local-fs).
    <property>
       <name>hadoop.security.credential.provider.path</name>
       <value>jceks://path/to/oozie.jceks</value>
    </property>
  4. Update the password property to use ***** instead of a word-readable password:
    <property>
      <name>oozie.https.keystore.pass</name>
      <value>*****</value>
    </property>
Note: You can use the same jceks file for storing both database and keystore passwords.