Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Enable SSL on Oozie

The default SSL configuration makes all Oozie URLs use HTTPS except for the JobTracker callback URLs. This simplifies the configuration because no changes are required outside of Oozie. Oozie inherently does not trust the callbacks, they are used as hints.

[Note]Note

Before you begin ensure that the SSL certificate has been generated and properly configured. By default Oozie uses the user default keystore. In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Administrator Guide, Gateway Security, Configure Wire Encryption.

  1. If Oozie server is running, stop Oozie.

  2. Change the Oozie environment variables for HTTPS if required:

    • OOZIE_HTTPS_PORT set to Oozie HTTPS port. The default value is 11443.

    • OOZIE_HTTPS_KEYSTORE_FILE set to the keystore file that contains the certificate information. Default value $<HOME>/.keystore, that is the home directory of the Oozie user.

    • OOZIE_HTTPS_KEYSTORE_PASS set to the password of the keystore file. Default value password.

    [Note]Note

    See Oozie Environment Setup for more details.

  3. Run the following command to enable SSL on Oozie:

    su -l oozie -c "oozie-setup.sh prepare-war -secure"
  4. Start the Oozie server.

[Note]Note

To revert back to unsecured HTTP, run the following command:

su -l oozie -c "oozie-setup.sh prepare-war"