Configuring SSL for Oozie

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin

  • Keystores for Oozie must be readable by the oozie user. This could be a copy of the Hadoop services' keystore with permissions 0440 and owned by the oozie group.
  • Truststores must have permissions 0444 (that is, readable by all).
  • Specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the Oozie service run. Therefore, the paths you choose must be valid on all hosts.
  • In case there is a DataNode and an Oozie server running on the same host, they can use the same certificate.
For more information on obtaining signed certificates and creating keystores, see SSL Certificates Overview. You can also view the upstream documentation located here.

Using Cloudera Manager

The steps for configuring and enabling Hadoop SSL for Oozie are as follows:
  1. Open the Cloudera Manager Admin Console and navigate to the Oozie service.
  2. Click Configuration.
  3. In the Search field, type SSL to show the Oozie SSL properties (found under the Service-Wide > Security category).
  4. Edit the following SSL properties according to your cluster configuration.
    Oozie SSL Properties
    Property Description
    Use SSL Check this field to enable SSL for Oozie.
    Oozie SSL Keystore File Location of the keystore file on the local file system.
    Oozie SSL Keystore Password Password for the keystore.
  5. Click Save Changes.
  6. Restart the Oozie service.

Using the Command Line

To configure the Oozie server to use SSL:
  1. Stop Oozie by running
    sudo /sbin/service oozie stop
  2. To enable SSL, set the MapReduce version that the Oozie server should work with using the alternatives command.
    For RHEL systems, to use YARN with SSL:
    alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https
    For RHEL systems, to use MapReduce (MRv1) with SSL:
    alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https.mr1
  3. Start Oozie by running
    sudo /sbin/service oozie start

Connect to the Oozie Web UI using SSL (HTTPS)

Use https://oozie.server.hostname:11443/oozie though most browsers should automatically redirect you if you use http://oozie.server.hostname:11000/oozie.

Additional Considerations when Configuring SSL for Oozie HA

Configure the load balancer to perform SSL pass-through. This will allow clients talking to Oozie to use the SSL certificate provided by the Oozie servers (so the load balancer will not need one). Consult your load balancer's documentation on how to configure this. Make sure to point the load balancer at the https://HOST:HTTPS_PORT addresses for your Oozie servers. Clients can then connect to the load balancer at https://LOAD_BALANCER_HOST:PORT.