This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Configuring HttpFS to use SSL (HTTPS)

You can use either a certificate from a Certificate Authority or a Self-Signed Certificate. Please follow the first or second section below accordingly; afterwards, all steps are the same.

To use a Self-Signed Certificate There are many ways to create a Self-Signed Certificate, this is just one way.  We will be using the keytool program, which is included with your JRE. If its not on your path, you should be able to find it in $JAVA_HOME/bin.

  1. Run the following command to create a keystore file:
    sudo -u httpfs keytool -genkey -alias tomcat -keyalg RSA

    The keystore file will be named .keystore and located in the httpfs user's home directory.  

  2. You will now be asked a series of questions in an interactive prompt.  Below is a sample of what this looks like, along with some responses:
    $ sudo -u httpfs keytool -genkey -alias tomcat -keyalg RSA
    Enter keystore password:  password
    Re-enter new password: password
    What is your first and last name?
      [Unknown]:  httpfs.server.hostname
    What is the name of your organizational unit?
      [Unknown]:  Engineering
    What is the name of your organization?
      [Unknown]:  A Great Company
    What is the name of your City or Locality?
      [Unknown]:  Anywhere
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=httpfs.server.hostname, OU=Engineering, O=A Great Company, L=Anywhere, ST=CA, C=US correct?
      [no]:  yes
    Enter key password for <tomcat>
    	(RETURN if same as keystore password):

    The password you enter for "keystore password" and "key password for <tomcat>" must be the same.  If you want to use a password other than "password", you will need to make an additional change later when configuring the HttpFS Server.


    The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the HttpFS Server will be running.

  3. Run the following command to export a certificate file from the keystore file:
    sudo -u httpfs keytool -exportcert -alias tomcat -file path/to/where/I/want/my/certificate.cert

To use a Certificate from a Certificate Authority

  1. Make a request to a Certificate Authority in order to obtain a proper Certificate; please consult a Certificate Authority on this procedure.
  2. Once you have your .cert file, run the following command to create a keystore file from your certificate:
    sudo -u httpfs keytool -import -alias tomcat -file path/to/certificate.cert

    The keystore file will be named .keystore and located in the httpfs user's home directory.

Configure the HttpFS Server to use SSL (HTTPS)

  1. Stop HttpFS by running
    sudo /sbin/service hadoop-httpfs stop
  2. To enable SSL, change which configuration the HttpFS server should work with using the alternatives command.
      Note: The alternatives command is only available on RHEL systems. For SLES, Ubuntu and Debian systems, the command is update-alternatives.
    For RHEL systems, to use SSL:
    alternatives --set hadoop-httpfs-tomcat-conf /etc/hadoop-httpfs/tomcat-conf.https

    The HTTPFS_SSL_KEYSTORE_PASS variable must be the same as the password used when creating the keystore file. If you used a password other than password, you'll have to change the value of the HTTPFS_SSL_KEYSTORE_PASS variable in /etc/hadoop-httpfs/conf/

  3. Start HttpFS by running
    sudo /sbin/service hadoop-httpfs start

Configure the HttpFS Client to connect using SSL (HTTPS)

This section only applies if you are using a Self-Signed Certificate.


The following steps must be done on every machine where you intend to use the HttpFS Client. This is not necessary if you only want to use the Web UI from a browser.  

The first two steps are only necessary if you used a Self-Signed Certificate.

  1. Copy or download the .cert file onto the client machine
  2. Run the following command to import the certificate into the JRE's keystore. This will allow any Java program, including the HttpFS client, to connect to the HttpFS Server using your certificate.
    sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}

    Where ${JRE_cacerts} is the path to the JRE's certs file.  It's location may differ depending on the Operating System, but its typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME} (you may want to create a backup copy of this file first). The default password is changeit.

  3. When using the HttpFS Client, you will need to use https://<httpfs_server_hostname>:14000/webhdfs/v1/ instead of http://<httpfs_server_hostname>:14000/webhdfs/v1/ – Java will not automatically redirect from the http address to the https address.

Connect to the HttpFS Web UI using SSL (HTTPS)

Use https://<httpfs_server_hostname>:14000/webhdfs/v1/ though most browsers should automatically redirect you if you use http://<httpfs_server_hostname>:14000/webhdfs/v1/


If using a Self-Signed Certificate, your browser will warn you that it can't verify the certificate or something similar. You will probably have to add your certificate as an exception.

Page generated September 3, 2015.