SSL-enabled endpoints for Virtual Warehouse clients in Cloudera Data Warehouse Private Cloud
In Cloudera Data Warehouse (CDW) Private Cloud 1.1, all client endpoints have been SSL-enabled. This requires that you configure the SSL certificates for client endpoints.
- Data Analytics Studio (DAS) webapp
- Impala coordinator
Domain name changes
To use the OpenShift/Embedded Container Service cluster wildcard certificate,
the DNS names have been changed. The
environment ID sub domain from the
domain name has been removed. This creates a flat DNA structure so the cluster wildcard
certificate can be applied to the endpoints.
Generating a truststore for a self-signed certificate
You can query the service certificate and convert it to a JKS truststore using the following steps:
- Retrieve the certificate:
```yaml $ openssl s_client -showcerts -connect hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443 -servername hs2-my-cwh1.apps.cdw.mycloud.myfirm.com </dev/null|openssl x509 -outform PEM > <mycertfile>.pem ```
- Convert the PEM file to a truststore. You will be prompted for a password.
```yaml $ keytool -import -alias hs2-my-cw1.apps.cdw.mycloud.myfirm.com -file <mycertfile>.pem -keystore <mycert>.jks ```
Opening SSL-enabled connections with Database Catalog clients
The CDW Virtual Warehouse clients like beeline and impala-shell can open SSL-enabled connections as described in this section.
A beeline connection can be created using a JDBC connection string. Specifying the username
and password with the
'-n' and the
'-p' options returns an
error. The beeline CLI prompts for credentials:
```yaml $ beeline beeline> !connect jdbc:hive2://hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443/default;transportMode=http;httpPath=cliservice; ssl=true;retries=3;sslTrustStore=<JKS-path>;trustStorePassword=<***password***> Enter username for jdbc:hive2://hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443/default:<my-user-name Enter password for jdbc:hive2://hs2-my-cwh1.apps.cdw.mycloud.myfirm.com:443/default:<********> ```
The impala-shell CLI opens a TLS/SSL-enabled connection when you use the
`--ssl` option. If
`--ca_cert` is not set, impala-shell
enables TLS/SSL, but does not validate the server certificate. Set the
CLI option to the local path name that points to the third-party CA certificate, or to a copy
of the server certificate in the case you have a self-signed server certificate:
```yaml $ impala-shell --protocol='hs2-http' -i "coordinator-my-iwh2.apps.cdw.mycloud.myfirm.com:443" --ssl ```
OpenShift routes are used to expose the user-facing services in the CDW Private Cloud deployment. Route objects can perform edge TLS termination using the cluster-deployed certificate for the endpoints. If the cluster certificate must be rotated, the routes can pick up the new certificate automatically. It is not necessary to re-deploy or to manually configure the service in order to pick up the changes.