Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Connecting to SSL-Enabled Components

This section explains how to connect to SSL enabled HDP Components.

[Note]Note

In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Administrator Guide, Gateway Security, Configure Wire Encryption.

Connect to SSL Enabled HiveServer2 using JDBC

HiveServer2 implemented encryption with the Java SASL protocol's quality of protection (QOP) setting that allows data moving between a HiveServer2 over JDBC and a JDBC client to be encrypted.

From the JDBC client specify sasl.sop as part of the JDBC-Hive connection string, for example jdbc:hive://hostname/dbname;sasl.qop=auth-int. For more information on connecting to Hive, see Data Integration Services with HDP, Moving Data into Hive: Hive ODBC and JDBC Drivers.

[Tip]Tip

See HIVE-4911 for more details on this enhancement.

Connect to SSL Enabled Oozie Server

On every Oozie client system, follow the instructions for the type of certificate used in your environment.

Use a Self-signed Certificate from Oozie Java Clients

When using a self-signed certificate, you must first install the certificate before the Oozie client can connect to the server.

  1. Install the certificate in the keychain:

    1. Copy or download the .cert file onto the client machine.

    2. Run the following command (as root) to import the certificate into the JRE's keystore:

      sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore <JRE_cacerts>

      Where $JRE_cacerts is the path to the JRE's certs file. It's location may differ depending on the Operating System, but its typically called cacerts and located at $JAVA_HOME/lib/security/cacerts. It can be under a different directory in $JAVA_HOME. The default password is changeit.

      Java programs, including the Oozie client, can now connect to the Oozie Server using the self-signed certificate.

  2. In the connection strings change HTTP to HTTPS, for example, replace http://oozie.server.hostname:11000/oozie with https://oozie.server.hostname:11443/oozie.

    Java does not automatically redirect HTTP addresses to HTTPS.

Connect to Oozie from Java Clients

In the connection strings change HTTP to HTTPS and adjust the port, for example, replace http://oozie.server.hostname:11000/oozie with https://oozie.server.hostname:11443/oozie.

Java does not automatically redirect HTTP addresses to HTTPS.

Connect to Oozie from a Web Browser

Use https://oozie.server.hostname:11443/oozie though most browsers should automatically redirect you if you use http://oozie.server.hostname:11000/oozie.

When using a Self-Signed Certificate, your browser warns you that it can't verify the certificate. Add the certificate as an exception.