Configure ZooKeeper TLS/SSL using Cloudera Manager

TLS/SSL encryption between the ZooKeeper client and the ZooKeeper server and within the ZooKeeper Quorum is supported.

The ZooKeeper TLS/SSL feature has the following limitations:
  • In each ZooKeeper server process the same ZooKeeper Server KeyStore / TrustStore configuration is used for both QuorumSSL and ClientSSL.
  • HTTPS for the ZooKeeper REST Admin Server is still not supported. Even if you enable SSL for ZooKeeper, the AdminServer will still use HTTP only.

TLS/SSL encryption is automatically enabled when AutoTLS is enabled. As a result it is enabled by default in Data Hub cluster templates.

You can disable, enable and configure ZooKeeper TLS/SSL manually using Cloudera Manager:

  1. In Cloudera Manager, select the ZooKeeper service.
  2. Click the Configuration tab.
  3. Search for SSL.
  4. Find the Enable TLS/SSL for ZooKeeper property and select it to enable TLS/SSL for ZooKeeper.
    When TLS/SSL for ZooKeeper is enabled, two ZooKeeper features get enabled:
    • QuorumSSL: the ZooKeeper servers are talking to each other using secure connection.
    • ClientSSL: the ZooKeeper clients are using secure connection when talking to the ZooKeeper server.
  5. Find the Secure Client Port property and change the port number if necessary.

    When ClientSSL is enabled, a new secure port is opened on the ZooKeeper server which handles the SSL connections. Its default value is 2182.

    The old port (default: 2181) will still be available for unsecured connections. Unsecure port cannot be disabled in Cloudera Manager, because most components cannot support ZooKeeper TLS/SSL yet.

  6. Click Save Changes.
  7. Restart.
Enable and configure ClientSSL by other components that support this feature.
The following components support ZooKeeper TLS/SSL:
  • Kafka
  • Oozie