Connecting to SSL-Enabled Components
This section explains how to connect to SSL enabled HDP Components.
Note | |
---|---|
In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Administrator Guide, Gateway Security, Configure Wire Encryption. |
Connect to SSL Enabled HiveServer2 using JDBC
HiveServer2 implemented encryption with the Java SASL protocol's quality of protection (QOP) setting that allows data moving between a HiveServer2 over JDBC and a JDBC client to be encrypted.
From the JDBC client specify sasl.sop
as part of the JDBC-Hive
connection string, for example
jdbc:hive://hostname/dbname;sasl.qop=auth-int
. For more
information on connecting to Hive, see Data Integration Services with HDP, Moving Data into Hive: Hive ODBC and JDBC
Drivers.
Tip | |
---|---|
See HIVE-4911 for more details on this enhancement. |
Connect to SSL Enabled Oozie Server
On every Oozie client system, follow the instructions for the type of certificate used in your environment.
Use a Self-signed Certificate from Oozie Java Clients
When using a self-signed certificate, you must first install the certificate before the Oozie client can connect to the server.
Install the certificate in the keychain:
Copy or download the .cert file onto the client machine.
Run the following command (as root) to import the certificate into the JRE's keystore:
sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore <JRE_cacerts>
Where
$JRE_cacerts
is the path to the JRE's certs file. It's location may differ depending on the Operating System, but its typically called cacerts and located at$JAVA_HOME
/lib/security/cacerts. It can be under a different directory in$JAVA_HOME
. The default password ischangeit
.Java programs, including the Oozie client, can now connect to the Oozie Server using the self-signed certificate.
In the connection strings change HTTP to HTTPS, for example, replace
http://oozie.server.hostname:11000/oozie
withhttps://oozie.server.hostname:11443/oozie
.Java does not automatically redirect HTTP addresses to HTTPS.
Connect to Oozie from Java Clients
In the connection strings change HTTP to HTTPS and adjust the port, for
example, replace http://oozie.server.hostname:11000/oozie
with https://oozie.server.hostname:11443/oozie
.
Java does not automatically redirect HTTP addresses to HTTPS.
Connect to Oozie from a Web Browser
Use https://oozie.server.hostname:11443/oozie
though most
browsers should automatically redirect you if you use
http://oozie.server.hostname:11000/oozie
.
When using a Self-Signed Certificate, your browser warns you that it can't verify the certificate. Add the certificate as an exception.