Enabling SSL: Understanding the Hadoop SSL Keystore Factory
The Hadoop SSL Keystore Factory manages SSL for core services that communicate with other cluster services over HTTP, such as MapReduce, YARN, and HDFS. Other components that have services that are typically not distributed, or only receive HTTP connections directly from clients, use built-in Java JDK SSL tools. Examples include HBase and Oozie.
The following table shows HDP cluster services that use HTTP and support SSL for wire encryption.
Table 3.1. Components that Support SSL
Component | Service | SSL Management |
---|---|---|
HDFS | WebHDFS | Hadoop SSL Keystore Factory |
MapReduce | Shuffle | Hadoop SSL Keystore Factory |
TaskTracker | Hadoop SSL Keystore Factory | |
Yarn | Resource Manager | Hadoop SSL Keystore Factory |
JobHistory | Hadoop SSL Keystore Factory | |
Oozie | Configured in oozie-site.xml | |
HBase | REST API | Configured in hbase-site.xml |
Hive | HiveServer2 | Configured in hive-site.xml |
Kafka | JDK: User and default | |
Solr | JDK: User and default | |
Accumulo | JDK: User and default | |
Falcon | REST API | JDK: User and default |
Knox | Hadoop cluster (REST client) | JDK: default only |
Knox Gateway server | JDK: User and default | |
HDP Security Administration | Server/Agent | JDK: User and default |
When enabling support for SSL, it is important to know which SSL Management method is being used by the Hadoop service. Services that are co-located on a host must configure the server certificate and keys, and in some cases the client truststore, in the Hadoop SSL Keystore Factory and JDK locations. When using CA signed certificates, configure the Hadoop SSL Keystore Factory to use the Java keystore and truststore locations.
The following list describes major differences between certificates managed by the Hadoop SSL Keystore Management Factory and certificates managed by JDK:
Hadoop SSL Keystore Management Factory:
Supports only JKS formatted keys.
Supports toggling the shuffle between HTTP and HTTPS.
Supports two way certificate and name validation.
Uses a common location for both the keystore and truststore that is available to other Hadoop core services.
Allows you to manage SSL in a central location and propagate changes to all cluster nodes.
Automatically reloads the keystore and truststore without restarting services.
SSL Management with JDK:
Allows either HTTP or HTTPS.
Uses hardcoded locations for truststores and keystores that may vary between hosts. Typically, this requires you to generate key pairs and import certificates on each host.
Requires the service to be restarted to reload the keystores and truststores.
Requires certificates to be installed in the client CA truststore.
Note For more information on JDK SSL Management, see "Using SSL" in Monitoring and Managing Using JMX Technology.