Communication encryption
- SASL (Simple Authentication and Security Layer)
- TLS/SSL (Transport Layer Security/Secure Sockets Layer)
TLS/SSL requires certificates. SASL QOP encryption does not. SASL QOP is aimed at protecting core Hadoop RPC communications. SASL QOP might cause performance problems when handling large amounts of data. You can configure HiveServer to support TLS/SSL connections from JDBC/ODBC clients using Cloudera Manager.
Client connections to HiveServer2 over TLS/SSL
A client connecting to a HiveServer2 over TLS/SSL must access the trust store on HiveServer to establish a chain of trust and verify server certificate authenticity. The trust store is typically not password protected. The trust store might be password protected to prevent its contents from being modified. However, password protected trust stores can be read from without using the password.
- Pass the path to the trust store each time you connect to HiveServer in the JDBC
connection string:
jdbc:hive2://fqdn.example.com:10000/default;ssl=true;\ sslTrustStore=$JAVA_HOME/jre/lib/security/jssecacerts;trustStorePassword=extraneous
- Set the path to the trust store one time in the Java system javax.net.ssl.trustStore
property:
java -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_141-cloudera/jre/lib/security/jssecacerts \ -Djavax.net.ssl.trustStorePassword=extraneous MyClass \ jdbc:hive2://fqdn.example.com:10000/default;ssl=true