Impala supports SSL network encryption, between Impala and client programs, and between the Impala-related daemons running on different nodes in the cluster. This feature is important when you also use other features such as Kerberos authentication or Sentry authorization, where credentials are being transmitted back and forth.

To enable SSL for Impala network communication, add both of the following flags to the impalad startup options:

• --ssl_server_certificate: the full path to the server certificate, on the local filesystem.
• --ssl_private_key : the full path to the server private key, on the local filesystem.

If either of these flags are set, both must be set. In that case, Impala starts listening for Beeswax and HiveServer2 requests on SSL-secured ports only. (The port numbers stay the same; see Appendix A - Ports Used by Impala for details.)

Typically, a client program has corresponding options to verify that it is connecting to the right server. For example, with SSL enabled for Impala, you use the following options when starting the impala-shell interpreter:

• --ssl: enables SSL for impala-shell.
• --ca_cert: the local pathname pointing to the third-party CA certificate, or to a copy of the server certificate for self-signed server certificates.

If --ca_cert is not set, impala-shell enables SSL, but does not validate the server certificate. This is useful for connecting to a known-good Impala that is only running over SSL, when a copy of the certificate is not available (such as when debugging customer installations).