Encrypting communication

Encryption between HiveServer2 and its clients is independent from Kerberos authentication. HiveServer supports the following types of encryption between the service and its clients (Beeline, JDBC/ODBC):
  • SASL (Simple Authentication and Security Layer)
  • TLS/SSL (Transport Layer Security/Secure Sockets Layer)

TLS/SSL requires certificates. SASL QOP encryption does not. SASL QOP is aimed at protecting core Hadoop RPC communications. SASL QOP might cause performance problems when handling large amounts of data. You can configure HiveServer to support TLS/SSL connections from JDBC/ODBC clients using Cloudera Manager.

Client connections to HiveServer2 over TLS/SSL

A client connecting to a HiveServer2 over TLS/SSL must access the trust store on HiveServer to establish a chain of trust and verify server certificate authenticity. The trust store is typically not password protected. The trust store might be password protected to prevent its contents from being modified. However, password protected trust stores can be read from without using the password.

The client needs the path to the trust store when attempting to connect to HiveServer2 using TLS/SSL. You can specify the trust store in one of the following ways:
  • Pass the path to the trust store each time you connect to HiveServer in the JDBC connection string:
    jdbc:hive2://fqdn.example.com:10000/default;ssl=true;\
     sslTrustStore=$JAVA_HOME/jre/lib/security/jssecacerts;trustStorePassword=extraneous 
  • Set the path to the trust store one time in the Java system javax.net.ssl.trustStore property:
    java -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_141-cloudera/jre/lib/security/jssecacerts \
     -Djavax.net.ssl.trustStorePassword=extraneous MyClass \
     jdbc:hive2://fqdn.example.com:10000/default;ssl=true