Configuring Wire Encryption
Also available as:
PDF
loading table of contents...

Enabling SSL Understanding the Hadoop SSL Keystore Factory

The Hadoop SSL Keystore Factory manages SSL for core services that communicate with other cluster services over HTTP, such as MapReduce, YARN, and HDFS. Other components that have services that are typically not distributed, or only receive HTTP connections directly from clients, use built-in Java JDK SSL tools. Examples include HBase and Oozie.

When enabling support for SSL, it is important to know which SSL Management method is being used by the Hadoop service. Services that are co-located on a host must configure the server certificate and keys, and in some cases the client truststore, in the Hadoop SSL Keystore Factory and JDK locations. When using CA signed certificates, configure the Hadoop SSL Keystore Factory to use the Java keystore and truststore locations.

The following list describes major differences between certificates managed by the Hadoop SSL Keystore Management Factory and certificates managed by JDK:
  • Hadoop SSL Keystore Management Factory:

    • Supports only JKS formatted keys.

    • Supports toggling the shuffle between HTTP and HTTPS.

    • Supports two way certificate and name validation.

    • Uses a common location for both the keystore and truststore that is available to other Hadoop core services.

    • Allows you to manage SSL in a central location and propagate changes to all cluster nodes.

    • Automatically reloads the keystore and truststore without restarting services.

  • SSL Management with JDK:

    • Allows either HTTP or HTTPS.

    • Uses hard-coded locations for truststores and keystores that may vary between hosts. Typically, this requires you to generate key pairs and import certificates on each host.

    • Requires the service to be restarted to reload the keystores and truststores.

    • Requires certificates to be installed in the client CA truststore.

    Note
    Note

    For more information on JDK SSL Management, see “Using SSL” in “Monitoring and Managing Using JMX Technology” (link below).