TLS/SSL encryption between the ZooKeeper client and the ZooKeeper server and within
the ZooKeeper Quorum is supported.
The ZooKeeper TLS/SSL feature has the following limitations:
- In each ZooKeeper server process the same ZooKeeper Server KeyStore /
TrustStore configuration is used for both QuorumSSL and ClientSSL.
- HTTPS for the ZooKeeper REST Admin Server is still not supported. Even if
you enable SSL for ZooKeeper, the AdminServer will still use HTTP only.
TLS/SSL encryption is automatically enabled when AutoTLS is enabled. As a result it
is enabled by default in Data Hub cluster templates.
You can disable, enable and configure ZooKeeper TLS/SSL manually using Cloudera
Manager:
-
In Cloudera Manager, select the ZooKeeper service.
-
Click the Configuration tab.
-
Search for
SSL.
-
Find the Enable TLS/SSL for ZooKeeper property and
select it to enable TLS/SSL for ZooKeeper.
When TLS/SSL for ZooKeeper is enabled, two ZooKeeper features get enabled:
- QuorumSSL: the ZooKeeper servers are talking to each other using
secure connection.
- ClientSSL: the ZooKeeper clients are using secure connection when
talking to the ZooKeeper server.
-
Find the Secure Client Port property and change the port
number if necessary.
When ClientSSL is enabled, a new secure port is opened on the ZooKeeper
server which handles the SSL connections. Its default value is 2182.
The old port (default: 2181) will still be available for unsecured
connections. Unsecure port cannot be disabled in Cloudera Manager, because
most components cannot support ZooKeeper TLS/SSL yet.
-
Click Save Changes.
-
Restart.
Enable and configure ClientSSL by other components that support this feature.The
following components support ZooKeeper TLS/SSL:
