Configuring SSL/TLS Encryption for CDH Services
This section describes how to configure encryption for CDH services (HDFS, MapReduce, YARN, HBase, Hive, Impala, Hue and Oozie) focusing on SSL.
- Configuring SSL for HDFS, YARN and MapReduce
- Configuring SSL for HBase
- Configuring SSL for Flume Thrift Source and Sink
- Configuring Encrypted Communication Between Hive and Client Drivers
- Configuring SSL for Hue
- Configuring SSL for Impala
- Configuring SSL for Oozie
- Configuring SSL for Solr
- Configuring HttpFS to use SSL
- Encrypted Shuffle and Encrypted Web UIs
Prerequisites
- Cloudera recommends securing a cluster using Kerberos authentication before enabling encryption such as SSL on a cluster. If you enable SSL for a cluster that does not already have Kerberos authentication configured, a warning will be displayed.
- The following sections assume that you have created all the certificates required for SSL communication. If not, for information on how to do this, see Creating Certificates.
- The certificates and keys to be deployed in your cluster should be organized into the appropriate set of keystores and truststores. For more information, see Creating Java Keystores and Truststores.
Hadoop Services as SSL Servers and Clients
Hadoop services differ in their use of SSL as follows:
- HDFS, MapReduce, and YARN daemons act as both SSL servers and clients.
- HBase daemons act as SSL servers only.
- Oozie daemons act as SSL servers only.
- Hue acts as an SSL client to all of the above.
Compatible Certificate Formats for Hadoop Components
| Component | Compatible Certificate Format |
|---|---|
| HDFS | Java Keystore |
| MapReduce | Java Keystore |
| YARN | Java Keystore |
| Hue | PEM |
| Hive (for communication between Hive clients and HiveServer2) | Java Keystore |
| HBase | Java Keystore |
| Impala | PEM |
| Oozie | Java Keystore |