SSL-enabled endpoints for Virtual Warehouse clients in Cloudera Data Warehouse Private Cloud
In Cloudera Data Warehouse (CDW) Private Cloud 1.1, all client endpoints have been SSL-enabled. This requires that you configure the SSL certificates for client endpoints.
- Data Analytics Studio (DAS) webapp
- Impala coordinator
Domain name changes
To use the OpenShift cluster wildcard certificate, the DNS names have been changed. The
environment ID sub domain from the domain name has been removed. This creates
a flat DNA structure so the cluster wildcard certificate can be applied to the endpoints.
Generating a truststore for a self-signed certificate
You can query the service certificate and convert it to a JKS truststore using the following steps:
- Retrieve the certificate:
```yaml $ openssl s_client -showcerts -connect hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443 -servername hs2-my-cwh1.apps.cdw.mycloud.myfirm.com </dev/null|openssl x509 -outform PEM > <mycertfile>.pem ```
- Convert the PEM file to a truststore. You will be prompted for a password.
```yaml $ keytool -import -alias hs2-my-cw1.apps.cdw.mycloud.myfirm.com -file <mycertfile>.pem -keystore <mycert>.jks ```
Opening SSL-enabled connections with Database Catalog clients
The CDW Virtual Warehouse clients like beeline and impala-shell can open SSL-enabled connections as described in this section.
A beeline connection can be created using a JDBC connection string. Specifying the username
and password with the
'-n' and the
'-p' options returns an
error. The beeline CLI prompts for credentials:
```yaml $ beeline beeline> !connect jdbc:hive2://hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443/default;transportMode=http;httpPath=cliservice; ssl=true;retries=3;sslTrustStore=<JKS-path>;trustStorePassword=<***password***> Enter username for jdbc:hive2://hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443/default:<my-user-name Enter password for jdbc:hive2://hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443/default:<********> ```
The impala-shell CLI opens a TLS/SSL-enabled connection when you use the
`--ssl` option. If
`--ca_cert` is not set, impala-shell
enables TLS/SSL, but does not validate the server certificate. Set the
CLI option to the local path name that points to the third-party CA certificate, or to a copy
of the server certificate in the case you have a self-signed server certificate:
```yaml $ impala-shell --protocol='hs2-http' -i "coordinator-my-iwh2.apps.cdw.mycloud.myfirm.com:443" --ssl ```
OpenShift routes are used to expose the user-facing services in the CDW Private Cloud deployment. Route objects can perform edge TLS termination using the cluster-deployed certificate for the endpoints. If the cluster certificate must be rotated, the routes can pick up the new certificate automatically. It is not necessary to re-deploy or to manually configure the service in order to pick up the changes.