Configuring Hue to connect to TLS 1.2/TCPS-enabled databases

Learn how to configure an existing Hue instance to connect to TLS-enabled MySQL, MariaDB, or PostgreSQL databases or TCPS-enabled Oracle database.

If TLS 1.2 is enabled on the database servers, and the databases are restricted or enforced to use TLS 1.2, then Hue automatically uses the TLS1.2-compatible ciphers to communicate with the database securely. You do not have to configure any setting in Hue's Advanced Configuration Snippet or any other configurations. This is applicable when using MySQL, MariaDB, or PostgreSQL databases as a backend database for Hue.

To restrict the MySQL and MariaDB databases to use TLS 1.2, set the value of the require_secure_transport to true in the my.cnf file.

To manually enable TLS 1.2 on the Hue instance, go to Cloudera Manager > Clusters > Hue service > Configurations and select the Enable TLS/SSL for Hue option.

The following section is specific for configuring Hue to connect to a TCPS-enabled Oracle database.

  • You must have installed and configured Oracle as a backend database for Hue as described in Using Oracle database with Hue.
  • You must have enabled TCPS on the Oracle database as described in Enabling TCPS for Oracle Database Server.
  • You must have created database users.
  1. SSH in to the Hue host as an administrator.
  2. Copy the cwallet.sso file that is generated when you enabled SSL on the Oracle database to a desired location on the Hue host and make sure its permissions are 644.
  3. Change directory to the following:
    cd [***ORACLE-INSTANT-CLIENT-HOME***]/network/admin
  4. Create a file called sqlnet.ora and with the following content:
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION =
                (SOURCE =
                  (METHOD = FILE)
                  (METHOD_DATA =
                    (DIRECTORY = /[***PATH-TO-WALLET-FILE***])
                  )
                )
  5. Create a file called tnsnames.ora and with the following content:
    ORCLPDB1_SSL =
            (DESCRIPTION =
              (ADDRESS = (PROTOCOL = TCPS)(HOST = [***HUE-DB-HOST***])(PORT = 
    [***HUE-DB-PORT***]))
              (CONNECT_DATA =
                (SERVER = DEDICATED)
                (SERVICE_NAME = [***SERVICE-NAME***]))
              )
              (SECURITY =
                (MY_WALLET_DIRECTORY = /[***PATH-TO-WALLET-FILE***])
              )
            )
  6. Log in to Cloudera Manager as an Administrator.
  7. Go to Clusters > Hue service > Configuration and add the following connection string in the Hue Database Name field:
    (DESCRIPTION=(LOAD_BALANCE=off)(FAILOVER=on)(CONNECT_TIMEOUT=5)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3)(ADDRESS=(PROTOCOL=TCPS)(HOST=[***HUE-DB-HOST***])(PORT=[***HUE-DB-PORT***]))(CONNECT_DATA=(SERVICE_NAME=[***SERVICE-NAME***])(SECURITY =
     (MY_WALLET_DIRECTORY = /[***PATH-TO-WALLET-FILE***])))
    Where,

    [***HUE-DB-HOST***] is the FQDN of the database host

    [***HUE-DB-PORT***] is the port for the Hue database

    [***SERVICE-NAME***] is the Oracle service name

    [***PATH-TO-WALLET-FILE***] is the location at which you have copied the wallet file (cwallet.sso) on the Hue host

  8. Click Save Changes.
  9. Restart the Hue service.