Encryption in SSB
When auto-TLS is disabled for the SQL Stream Builder (SSB) service, you must manually set the TLS properties for SSB in Cloudera Manager.
Ensure that you have set up Transport Layer Security (TLS) (formerly known as Secure Socket
Layer (SSL)) for Cloudera Manager:
- Generated TLS certificates
- Configured TLS for Admin Console and Agents
- Enabled server certificate verification on Agents
- Configured agent certificate authentication
- Configured TLS encryption on the agent listening port
- Click SQL Builder service on your Cluster.
- Go to the Configuration tab.
-
Select Category > Security.
All the security related properties are displayed.
-
Edit the security properties according to the cluster configuration.
Materialized View Engine Enable TLS/SSL for Materialized View Engine Select the option to encrypt communication between clients and Materialized View Engine using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Materialized View Engine TLS/SSL Server JKS Keystore File Location Path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Materialized View Engine is acting as a TLS/SSL server. The keystore must be in JKS format. Materialized View Engine TLS/SSL Server JKS Keystore File Password Password for the Materialized View Engine JKS keystore file. Materialized View Engine TLS/SSL Server JKS Keystore Key Password Password that protects the private key contained in the JKS keystore. Materialized View Engine TLS/SSL Client Trust Store File Location of the truststore on disk. The truststore must be in JKS format. If this parameter is not provided, the default list of known certificate authorities is used instead. Materialized View Engine TLS/SSL Client Trust Store Password The password for the Materialized View Engine TLS/SSL Certificate truststore file. This password is not mandatory to access the truststore; this field is optional. This password provides optional integrity checking of the file. The contents of truststores are certificates, and certificates are public information. Streaming SQL Console Enable TLS/SSL for Streaming SQL Console Select the option to encrypt communication between clients and Streaming SQL Console using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Streaming SQL Console TLS/SSL Server Private Key File (PEM Format) Path to the TLS/SSL file containing the private key used for TLS/SSL. Used when Streaming SQL Console is acting as a TLS/SSL server. The certificate file must be in PEM format. Streaming SQL Console TLS/SSL Server Certificate File (PEM Format) Path to the TLS/SSL file containing the server certificate key used for TLS/SSL. Used when Streaming SQL Console is acting as a TLS/SSL server. The certificate file must be in PEM format. Streaming SQL Console TLS/SSL Server CA Certificate (PEM Format) Path to the TLS/SSL file containing the certificate of the certificate authority (CA) and any intermediate certificates used to sign the server certificate. Used when Streaming SQL Console is acting as a TLS/SSL server. The certificate file must be in PEM format, and is usually created by concatenating all of the appropriate root and intermediate certificates. Streaming SQL Console TLS/SSL Private Key Password Password for the private key in the Streaming SQL Console TLS/SSL Server Certificate and Private Key file. If left blank, the private key is not protected by a password. Streaming SQL Console TLS/SSL Certificate Trust Store File Location on disk of the truststore, in .pem format, used to confirm the authenticity of TLS/SSL servers that Streaming SQL Console might connect to. This is used when Streaming SQL Console is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of known certificate authorities is used instead. SQL Stream Engine Enable TLS/SSL for Streaming SQL Engine Select the option to encrypt communication between clients and Streaming SQL Engine using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Streaming SQL Engine TLS/SSL Server JKS Keystore File Location Path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Streaming SQL Engine is acting as a TLS/SSL server. The keystore must be in JKS format. Streaming SQL Engine TLS/SSL Server JKS Keystore File Password Password for the Streaming SQL Engine JKS keystore file. Streaming SQL Engine TLS/SSL Server JKS Keystore Key Password Password that protects the private key contained in the JKS keystore used when Streaming SQL Engine is acting as a TLS/SSL server. Streaming SQL Engine TLS/SSL Client Trust Store File Location on disk of the truststore, in .jks format, used to confirm the authenticity of TLS/SSL servers that Streaming SQL Engine might connect to. This is used when Streaming SQL Engine is the client in a TLS/SSL connection. This truststore must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of known certificate authorities is used instead. Streaming SQL Engine TLS/SSL Client Trust Store Password Password for the Streaming SQL Engine TLS/SSL Certificate Trust Store file. This password is not mandatory to access the trust store; this field is optional. This password provides optional integrity checking of the file. The contents of truststores are certificates, and certificates are public information. - Click Save Changes.