Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Enabling SSL: Understanding the Hadoop SSL Keystore Factory

The Hadoop SSL Keystore Factory manages SSL for core services that communicate with other cluster services over HTTP, such as MapReduce, YARN, and HDFS. Other components that have services that are typically not distributed, or only receive HTTP connections directly from clients, use built-in Java JDK SSL tools. Examples include HBase and Oozie.

The following table shows HDP cluster services that use HTTP and support SSL for wire encryption.

Table 3.1. Components that Support SSL

ComponentServiceSSL Management
HDFSWebHDFSHadoop SSL Keystore Factory
MapReduceShuffleHadoop SSL Keystore Factory
TaskTrackerHadoop SSL Keystore Factory
YarnResource ManagerHadoop SSL Keystore Factory
JobHistoryHadoop SSL Keystore Factory
Oozie Configured in oozie-site.xml
HBaseREST APIConfigured in hbase-site.xml
HiveHiveServer2Configured in hive-site.xml
Kafka JDK: User and default
Solr JDK: User and default
Accumulo JDK: User and default
FalconREST APIJDK: User and default
KnoxHadoop cluster (REST client)JDK: default only
Knox Gateway serverJDK: User and default
HDP Security Administration Server/AgentJDK: User and default


When enabling support for SSL, it is important to know which SSL Management method is being used by the Hadoop service. Services that are co-located on a host must configure the server certificate and keys, and in some cases the client truststore, in the Hadoop SSL Keystore Factory and JDK locations. When using CA signed certificates, configure the Hadoop SSL Keystore Factory to use the Java keystore and truststore locations.

The following list describes major differences between certificates managed by the Hadoop SSL Keystore Management Factory and certificates managed by JDK:

  • Hadoop SSL Keystore Management Factory:

    • Supports only JKS formatted keys.

    • Supports toggling the shuffle between HTTP and HTTPS.

    • Supports two way certificate and name validation.

    • Uses a common location for both the keystore and truststore that is available to other Hadoop core services.

    • Allows you to manage SSL in a central location and propagate changes to all cluster nodes.

    • Automatically reloads the keystore and truststore without restarting services.

  • SSL Management with JDK:

    • Allows either HTTP or HTTPS.

    • Uses hardcoded locations for truststores and keystores that may vary between hosts. Typically, this requires you to generate key pairs and import certificates on each host.

    • Requires the service to be restarted to reload the keystores and truststores.

    • Requires certificates to be installed in the client CA truststore.

    [Note]Note

    For more information on JDK SSL Management, see "Using SSL" in Monitoring and Managing Using JMX Technology.