Configure Accumulo Servers
Now that the Java KeyStores have been created with the necessary information, the Accumulo configuration must be updated so that Accumulo creates the Thrift server over SSL instead of a normal socket.
Configure the following properties in accumulo-site.xml
:
<property>
<name>rpc.javax.net.ssl.keyStore</name>
<value>/path/to/server.jks</value>
</property>
<property>
<name>rpc.javax.net.ssl.keyStorePassword</name>
<value>server_password</value>
</property>
<property>
<name>rpc.javax.net.ssl.trustStore</name>
<value>/path/to/truststore.jks</value>
</property>
<property>
<name>rpc.javax.net.ssl.trustStorePassword</name>
<value>truststore_password</value>
</property>
<property>
<name>instance.rpc.ssl.enabled</name>
<value>true</value>
</property>
The keystore and truststore paths are both absolute paths on the local file system (not
HDFS). Remember that the server keystore should only be readable by the user running Accumulo
and, if you place plain-text passwords in accumulo-site.xml
, make sure that
accumulo-site.xml
is also not globally readable. To keep these passwords
out of accumulo-site.xml
, consider configuring your system with the new
Hadoop CredentialProvider class.
Also, be aware that if unique passwords are used for each server when
generating the certificate, this will result in different
accumulo-site.xml
files for each host. Unique configuration
files for each host will add complexity to the configuration management of your
instance. The use of a CredentialProvider (a feature from Hadoop which allows
for acquisitions of passwords from alternate systems) can help alleviate the
issues with unique accumulo-site.xml
files on each host. A Java
KeyStore can be created using the CredentialProvider tools, which eliminates the
need for passwords to be stored in accumulo-site.xml
, and can
instead point to the CredentialProvider URI which is consistent across
hosts.