Configuring TLS/SSL Encryption for CDH Services

In addition to configuring Cloudera Manager cluster to use TLS/SSL (as detailed, starting with Configuring Cloudera Manager Clusters for TLS/SSL), the various CDH services running on the cluster should also be configured to use TLS/SSL. The process of configuring TLS/SSL varies by component, so follow the steps below as needed for your system. Before trying to configure TLS/SSL, however, be sure your cluster meets the prerequisites.

Prerequisites

Each instruction set listed above assumes that the cluster has been configured for Level 2 TLS, as detailed in Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate. The specific requirement is that the Cloudera Manager Server certificate and Cloudera Manager Agent certificates are in place and properly configured.

Hadoop Services as TLS/SSL Servers and Clients

Hadoop services function as either TLS/SSL servers, clients, or both, as shown in the table below.

Component Client Server
HBase ~
HDFS
Hive
Hue ~
MapReduce
Oozie ~
YARN

Hue is a TLS/SSL client of HDFS, MapReduce, YARN, HBase, and Oozie.

Daemons that act as TLS/SSL servers load the keystores when starting up. When a client connects to an TLS/SSL server daemon, the server transmits the certificate loaded at startup time to the client, which then uses its truststore to validate the server’s certificate.

Certificate Formats and Hadoop Components

Component JKS PEM
HBase ~
HDFS ~
Hive (Hive clients and HiveServer 2) ~
Hue ~
Impala ~
MapReduce ~
Oozie ~
Solr ~
YARN ~