Enabling TLS/SSL for HiveServer

You can secure client-server communications using symmetric-key encryption in the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocol. To encrypt data exchanged between HiveServer and its clients, you can use Cloudera Manager to configure TLS/SSL.

  • HiveServer has the necessary server key, certificate, keystore, and trust store set up on the host system.
  • The hostname variable ($(hostname -f)-server.jks) is used with Java keytool commands to create keystore, as shown in this example:
    $ sudo keytool -genkeypair -alias $(hostname -f)-server -keyalg RSA -keystore \
        /opt/cloudera/security/pki/$(hostname -f)-server.jks -keysize 2048 -dname \
        "CN=$(hostname -f),OU=dept-name-optional,O=company-name,L=city,ST=state,C=two-digit-nation" \
        -storepass password -keypass password
On the beeline command line, the JDBC URL requirements include specifying ssl=true;sslTrustStore=<path_to_truststore>. Truststore password requirements depend on the version of Java running in the cluster:
  • Java 11: the truststore format has changed to PKCS and the truststore password is required; otherwise, the connection fails.
  • Java 8: The trust store password does not need to be specified.
  1. In Cloudera Manager, navigate to Clusters > Hive > Configuration.
  2. In Filters, select HIVE for the scope.
  3. Select Security for the category.
  4. Accept the default Enable TLS/SSL for HiveServer2, which is checked for Hive (Service-Wide).
  5. Enter the path to the Java keystore on the host system.
  6. Enter the password for the keystore you used on the Java keytool command-line when the key and keystore were created.
    The password for the keystore must match the password for the key.
  7. Enter the path to the Java trust store on the host system.
  8. Click Save Changes.
  9. Restart the Hive service.
  10. Construct a connection string for encrypting communications using TLS/SSL.
    jdbc:hive2://#<host>:#<port>/#<dbName>;ssl=true;sslTrustStore=#<ssl_truststore_path>; \