Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Enable SSL on the HBase REST Server

Perform the following task to enable SSL on an HBase REST API.

[Note]Note

In order to access SSL-enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Configure SSL for Knox.

  1. Create and install an SSL certificate for HBase, for example to use a self-signed certificate:

    1. Create an HBase keystore:

      su -l hbase -c "keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore hbase.jks" 

      At the keytool command prompt:

      • Enter the key password

      • Enter the keystore password

        [Note]Note

        Add these two specified values to the corresponding properties in hbase-site.xml in step 2.

    2. Export the certificate:

      su -l hbase -c "keytool -exportcert -alias hbase -file certificate.cert -keystore hbase.jks"
    3. (Optional) Add certificate to the Java keystore:

      • If you are not root run:

        sudo keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts 
      • If you are root:

        keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts 
  2. Add the following properties to the hbase-site.xml configuration file on each node in your HBase cluster:

                                
    <property>
    <name>hbase.rest.ssl.enabled</name>
    <value>true</value>
    </property>
    
    <property>
    <name>hbase.rest.ssl.keystore.store</name>
    <value>/path/to/keystore</value>
    </property>
    
    <property>
    <name>hbase.rest.ssl.keystore.password</name>
    <value>keystore-password</value>
    </property>
    
    <property>
    <name>hbase.rest.ssl.keystore.keypassword</name>
    <value>key-password</value>
    </property>
  3. Restart all HBase nodes in the cluster.

[Note]Note

For clusters using self-signed certificates: Define the truststore as a custom property on the JVM. If the self-signed certificate is not added to the system truststore (cacerts), specify the Java KeyStore (.jks) file containing the certificate in applications by invoking the javax.net.ssl.trustStore system property. Run the following command argument in the application client container to use a self-signed certificate in a .jks file:

-Djavax.net.ssl.trustStore=/path/to/keystore