This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Configuring Oozie to use SSL (HTTPS)


The default HTTPS configuration will cause all Oozie URLs to use HTTPS (except for the JobTracker callback URLs, but this is okay because Oozie doesn't inherently trust the callbacks anyway; they are used as hints). This is to simplify configuration (no changes are needed outside of Oozie).

You can use either a certificate from a Certificate Authority or a Self-Signed Certificate. Please follow the first or second section below accordingly; afterwards, all steps are the same.

To use a Self-Signed Certificate There are many ways to create a Self-Signed Certificate, this is just one way.  We will be using the keytool program, which is included with your JRE. If its not on your path, you should be able to find it in $JAVA_HOME/bin.

  1. Run the following command to create a keystore file:
    sudo -u oozie keytool -genkey -alias tomcat -keyalg RSA

    The keystore file will be named .keystore and located in the oozie user's home directory.  

  2. You will now be asked a series of questions in an interactive prompt.  Below is a sample of what this looks like, along with some responses:
    $ sudo -u oozie keytool -genkey -alias tomcat -keyalg RSA
    Enter keystore password:  password
    Re-enter new password: password
    What is your first and last name?
      [Unknown]:  oozie.server.hostname
    What is the name of your organizational unit?
      [Unknown]:  Engineering
    What is the name of your organization?
      [Unknown]:  A Great Company
    What is the name of your City or Locality?
      [Unknown]:  Anywhere
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=oozie.server.hostname, OU=Engineering, O=A Great Company, L=Anywhere, ST=CA, C=US correct?
      [no]:  yes
    Enter key password for <tomcat>
    	(RETURN if same as keystore password):

    The password you enter for "keystore password" and "key password for <tomcat>" must be the same.  If you want to use a password other than "password", you will need to make an additional change later when configuring the Oozie Server.


    The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the Oozie Server will be running.

  3. Run the following command to export a certificate file from the keystore file:
    sudo -u oozie keytool -exportcert -alias tomcat -file path/to/where/I/want/my/certificate.cert

To use a Certificate from a Certificate Authority

  1. Make a request to a Certificate Authority in order to obtain a proper Certificate; please consult a Certificate Authority on this procedure.
  2. Once you have your .cert file, run the following command to create a keystore file from your certificate:
    sudo -u oozie keytool -import -alias tomcat -file path/to/certificate.cert

    The keystore file will be named .keystore and located in the oozie user's home directory.

Configure the Oozie Server to use SSL (HTTPS)

  1. Stop Oozie by running
    sudo /sbin/service oozie stop
  2. To enable SSL, set the MapReduce version that the Oozie server should work with using the alternatives command.
      Note: The alternatives command is only available on RHEL systems. For SLES, Ubuntu and Debian systems, the command is update-alternatives.
    For RHEL systems, to use YARN with SSL:
    alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https
    For RHEL systems, to use MapReduce (MRv1) with SSL:
    alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https.mr1

    The OOZIE_HTTPS_KEYSTORE_PASS variable must be the same as the password used when creating the keystore file. If you used a password other than password, you'll have to change the value of the OOZIE_HTTPS_KEYSTORE_PASS variable in this file.

  3. Start Oozie by running
    sudo /sbin/service oozie start

Configure the Oozie Client to connect using SSL (HTTPS)

This section only applies if you are using a Self-Signed Certificate.


The following steps must be done on every machine where you intend to use the Oozie Client. This is not necessary if you only want to use the Web UI from a browser.  

The first two steps are only necessary if you used a Self-Signed Certificate.

  1. Copy or download the .cert file onto the client machine
  2. Run the following command to import the certificate into the JRE's keystore. This will allow any Java program, including the Oozie client, to connect to the Oozie Server using your certificate.
    sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}

    Where ${JRE_cacerts} is the path to the JRE's certs file.  It's location may differ depending on the Operating System, but its typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME} (you may want to create a backup copy of this file first). The default password is changeit.

  3. When using the Oozie Client, you will need to use https://oozie.server.hostname:11443/oozie instead of http://oozie.server.hostname:11000/oozie – Java will not automatically redirect from the http address to the https address.

Connect to the Oozie Web UI using SSL (HTTPS)

Use https://oozie.server.hostname:11443/oozie though most browsers should automatically redirect you if you use http://oozie.server.hostname:11000/oozie


If using a Self-Signed Certificate, your browser will warn you that it can't verify the certificate or something similar. You will probably have to add your certificate as an exception.

Page generated September 3, 2015.