Enabling HTTPS between ResourceManager and Application Master

If you want to enable HTTPS communication between the ResourceManager and the Application Master, you have to use a ResourceManager-level and two Application Master-level configuration properties.

  1. Enable HTTPS communication on the ResourceManager’s side:
    1. Navigate to Cloudera Manager.
    2. Select the YARN service.
    3. Search for ResourceManager and find the ResourceManager Advanced Configuration Snippet (Safety Valve) for yarn-site.xml safety valve.
    4. Add the following configuration:
    5. Restart the ResourceManager to apply the configuration change.

      HTTPS communication is enabled on the ResourceManager’s side. Keystore and Truststore are available.

      There are two supported Keystore and Truststore formats. The format is automatically set by the ResourceManager:
      • JKS: when FIPS is not enabled
      • BCFKS: when FIPS is enabled

      The NodeManager collects the Keystore and Truststore related information (location on the file system, password, and format) and uses environment variables to provide the Application Master with the information.

  2. Enable the HTTPS communication on the ApplicationMaster’s side:

    When submitting a job set the yarn.app.mapreduce.am.webapp.https.enabled and the yarn.app.mapreduce.am.webapp.https.client.auth properties to true.

    The following is an example of a simple ‘pi job’ that can be considered as a test job. Note that the jar file is depending on the deployed CDP version:
    yarn jar /opt/cloudera/parcels/CDH-7.1.5-1.cdh7.1.5.p0.6683980/lib/hadoop-mapreduce/hadoop-mapreduce-examples- pi -Dyarn.app.mapreduce.am.webapp.https.enabled=true -Dyarn.app.mapreduce.am.webapp.https.client.auth=true 1 1000

    HTTPS communication between ResourceManager and Application Master is enabled.

For more information, see the design document in YARN-6586