Enable SSL on the HBase REST Server
Perform the following task to enable SSL on an HBase REST API.
Note | |
---|---|
In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Administrator Guide, Gateway Security, Configure Wire Encryption. |
Create and install an SSL certificate for HBase, for example to use a self-signed certificate:
Create an HBase keystore:
su -l hbase -c "keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore hbase.jks"
At the keytool command prompt:
Enter the key password
Enter the keystore password
Note Add these two specified values to the corresponding properties in hbase-site.xml in step 2.
Export the certificate:
su -l hbase -c "keytool -exportcert -alias hbase -file certificate.cert -keystore hbase.jks"
(Optional) Add certificate to the Java keystore:
If you are not root run:
sudo keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
If you are root:
keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
Add the following properties to the
hbase-site.xml
configuration file on each node in your HBase cluster:<property> <name>hbase.rest.ssl.enabled</name> <value>true</value> </property> <property> <name>hbase.rest.ssl.keystore.store</name> <value>/path/to/keystore</value> </property> <property> <name>hbase.rest.ssl.keystore.password</name> <value>keystore-password</value> </property> <property> <name>hbase.rest.ssl.keystore.keypassword</name> <value>key-password</value> </property>
Restart all HBase nodes in the cluster.
Note | |
---|---|
For clusters using self-signed certificates: Define the truststore as a custom property on the JVM. If the self-signed certificate is not added to the system truststore (cacerts), specify the Java KeyStore (.jks) file containing the certificate in applications by invoking the javax.net.ssl.trustStore system property. Run the following command argument in the application client container to use a self-signed certificate in a .jks file: -Djavax.net.ssl.trustStore=/path/to/keystore |