Encryption over the HTTP protocol is implemented with support for SSL across your Hadoop cluster.
To enable WebHDFS to listen for HTTP over SSL, configure SSL on the NameNode and all
DataNodes by setting dfs.https.enable=true in the
hdfs-site.xml file.
Most commonly SSL is configured to authenticate only the Server, a mode called 1-way
SSL. For 1-way SSL you only need to configure the keystore on the NameNode and each
DataNode, using the properties shown in the table below. These parameters are set in the
ssl-server.xml file on the NameNode and each of the
DataNodes.
SSL can also be configured to authenticate the client, a mode called mutual
authentication or 2-way SSL. To configure 2-way SSL also set
dfs.client.https.need-auth=true in the
hdfs-site.xml file on the NameNode and each DataNode. The
truststore configuration is only needed when using a self-signed certificate or a
certificate that is not in the JVM's truststore.
The following configuration properties need to be specified in ssl-server.xml and ssl-client.xml.
| Property | Default Value | Description | 1-way | 2-way |
|---|---|---|---|---|
| ssl.server.keystore.type | JKS | The type of the keystore, JKS = Java Keystore, the de-facto standard in Java | Y | Y |
| ssl.server.keystore.location | None | The location of the keystore file | Y | Y |
| ssl.server.keystore.password | None | The password to open the keystore file | Y | Y |
| ssl.server truststore.type | JKS | The type of the trust store | N | Y |
| ssl.server.truststore.location | None | The location of the truststore file | N | Y |
| ssl server.truststore.password | None | The password to open the trustsore | N | Y |
The following diagram shows an HTTP or REST client's interaction with the NameNode and the DataNodes over HTTPS.
