Configuring SSL for Hue

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Hue as an SSL Client

Hue acts as an SSL client when communicating with Oozie, HBase and core Hadoop services. This means it may have to authenticate authenticate HDFS, MapReduce, and YARN daemons, as well as the HBase Thrift Server, and will need their certificates (or the relevant CA certificate) in its truststore.

Deploying the Hue Truststore:

You can create the Hue truststore by consolidating certificates of all SSL-enabled servers (or a single CA certificate chain) that Hue communicates with into one file. This will generally include certificates of all the HDFS, MapReduce and YARN daemons, and other SSL-enabled services such as Oozie..

The Hue truststore must be in PEM format whereas other services use JKS format by default. Hence, to populate the Hue truststore, you will need to extract the certificates from Hadoop's JKS keystores and convert them to PEM format. The following example assumes that hadoop-server.keystore contains the server certificate identified by alias foo-1.example.com and password example123.

$ keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.example.com \
        -storepass example123 -file foo-1.cert
$ openssl x509 -inform der -in foo-1.cert > foo-1.pem

Once you've done this for each host in the cluster, you can concatenate the PEM files into one PEM file that can serve as the Hue truststore.

cat foo-1.pem foo-2.pem ... > huetrust.pem

In Cloudera Manager, set REQUESTS_CA_BUNDLE to the path of the consolidated PEM file, huetrust.pem created above. To do this:

Open the Cloudera Manager Admin Console and navigate to the Hue service.
Click Configuration.
In the Search field, type Hue Service Environment to show the Hue Service Environment Advanced Configuration Snippet (Safety Valve) property (found under the Service-Wide > Advanced category).
Click the Value column to enable editing, and add the REQUESTS_CA_BUNDLE property set to the path of the Hue truststore in PEM format.
Click Save Changes.
Restart the Hue service.

Hue as an SSL Server

Hue expects certificates and keys to be stored in PEM format. When managing certificates and keys for such services, using the openssl tool may be more convenient. To configure Hue to use HTTPS, you must generate a private key and a self-signed SSL certificate that does not require a passphrase.

openssl genrsa 4096 > server.key
openssl req -new -x509 -nodes -sha1 -key server.key > server.cert

Ensure secure session cookies for Hue have been enabled in hue.ini under [desktop]>[[session]].

[desktop]
  [[session]]
  secure=true

For more details on configuring Hue with SSL, see this blog post.

Enabling SSL for the Hue Server using the Command Line

If you are not using Cloudera Manager, update the following properties in hue.ini under [desktop].

[desktop]
 ssl_certificate=/path/to/server.cert
 ssl_private_key=/path/to/server.key

Enabling SSL for the Hue Server in Cloudera Manager

Perform the following steps in Cloudera Manager to enable SSL for the Hue web server.

Open the Cloudera Manager Admin Console and navigate to the Hue service.
Click Configuration.
In the Search field, type SSL to show the Hue SSL properties (found under the Hue Server Default Group category).

Edit the following SSL properties according to your cluster configuration.

Property	Description
Enable HTTPS	Enable HTTPS for the Hue web server.
Local Path to SSL Certificate	Path to the SSL certificate on the host running the Hue web server.
Local Path to SSL Private Key	Path to the SSL private key on the host running the Hue web server. Hue only supports a key without a passphrase.

Click Save Changes.
Restart the Hue service.

Configuring Encrypted Communication Between Hive and Client Drivers

Configuring SSL for Impala