Prerequisites to configure TLS/SSL for HBase
Before configuring TLS/SSL for HBase, ensure that all prerequisites are fulfilled.
- Before enabling TLS/SSL, ensure that keystores containing certificates bound to the appropriate domain names will need to be accessible on all hosts on which at least one HBase daemon role is running.
- Keystores for HBase must be owned by the
hbase
group, and have permissions0440
(that is, readable by owner and group). - You must specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the HBase service run. Therefore, the paths you choose must be valid on all hosts.
- Cloudera Manager supports the TLS/SSL configuration for HBase at the
service level. Ensure you specify absolute paths to the keystore and truststore files. These
settings apply to all hosts on which daemon roles of the service in question run. Therefore,
the paths you choose must be valid on all hosts.
An implication of this is that the keystore file names for a given service must be the same on all hosts. If, for example, you have obtained separate certificates for HBase daemons on hosts
node1.example.com
andnode2.example.com
, you might have chosen to store these certificates in files calledhbase-node1.keystore
andhbase-node2.keystore
(respectively). When deploying these keystores, you must give them both the same name on the target host — for example,hbase.keystore
.