Cloudera Docs

Configuring TLS/SSL for HDFS

You must enable TLS/SSL HDFS properties, TLS/SSL Client TrustStore properties, and allow web UI authentication.

Cloudera recommends you enable web UI authentication for the HDFS service. Web UI authentication uses SPNEGO. After enabling this, you cannot access the Hadoop web consoles without a valid Kerberos ticket and correct client-side configuration.
  • You must enable Hadoop TLS/SSL Enabled in CORE_SETTINGS before configuring the HDFS properties.
  • Enabling TLS/SSL on HDFS is required before enabling TLS/SSL on YARN.

Procedure to enable Hadoop TLS/SSL Enabled

  1. Log in to Cloudera Manager.
  2. Navigate to Clusters.
  3. Select CORE_SETTINGS.
  4. Go to Configurations.
  5. Search for Hadoop TLS/SSL Enabled and select the checkbox.
  6. Click Save Changes.

Procedure to configure the HDFS properties

  1. Log in to Cloudera Manager.
  2. Navigate to Clusters.
  3. Select the HDFS service
  4. Go to Configurations.
  5. Search for TLS/SSL.
  6. Search for the following properties and configure them according to your cluster configuration:
    1. Hadoop TLS/SSL Server Keystore File Location
    2. Hadoop TLS/SSL Server Keystore File Password
    3. Hadoop TLS/SSL Server Keystore Key Password
    Property Description
    Hadoop TLS/SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    Hadoop TLS/SSL Server Keystore File Password Password for the server keystore file.
    Hadoop TLS/SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.
  7. Click Save Changes.

Procedure to configure the TLS/SSL Client TrustStore properties:

If you are not using the default trustore, then perform the below steps:

  1. Log in to Cloudera Manager.
  2. Navigate to Clusters.
  3. Select the HDFS service
  4. Go to Configurations.
  5. Search for TLS/SSL.
  6. Search for the following properties and configure them according to your cluster configuration:
    1. Cluster-Wide Default TLS/SSL Client Truststore Location
    2. Cluster-Wide Default TLS/SSL Client Truststore Password
    Property Description
    Cluster-Wide Default TLS/SSL Client Truststore Location Path to the client truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers.
    Cluster-Wide Default TLS/SSL Client Truststore Password Password for the client truststore file.
  7. Click Save Changes.

Procedure to enable web UI authentication

If you want to enable web UI authentication for the HDFS service, perform the below steps:

  1. Log in to Cloudera Manager.
  2. Navigate to Clusters.
  3. Select the HDFS service
  4. Go to Configurations.
  5. Search for the Enable Authentication for HTTP Web-Consoles property.
  6. Select the checkbox.
  7. Click Save Changes.