Configuring SSL for HBase

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin

  • Before enabling SSL, ensure that keystores containing certificates bound to the appropriate domain names will need to be accessible on all hosts on which at least one HBase daemon role is running.
  • Keystores for HBase must be owned by the hbase group, and have permissions 0440 (that is, readable by owner and group).
  • You must specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the HBase service run. Therefore, the paths you choose must be valid on all hosts.
  • Cloudera Manager supports the SSL configuration for HBase at the service level. Ensure you specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the service in question run. Therefore, the paths you choose must be valid on all hosts.

    An implication of this is that the keystore file names for a given service must be the same on all hosts. If, for example, you have obtained separate certificates for HBase daemons on hosts node1.example.com and node2.example.com, you might have chosen to store these certificates in files called hbase-node1.keystore and hbase-node2.keystore (respectively). When deploying these keystores, you must give them both the same name on the target host — for example, hbase.keystore.

Configuring TLS/SSL for HBase Web UIs

The steps for configuring and enabling TLS/SSL for HBase are similar to those for HDFS, YARN and MapReduce:
  1. Go to the HBase service
  2. Click the Configuration tab.
  3. Select Scope > HBASE (Service-Wide).
  4. Select Category > Security.
  5. In the Search field, type TLS/SSL to show the HBase TLS/SSL properties.
  6. Edit the following TLS/SSL properties according to your cluster configuration:
    HBase TLS/SSL Properties
    Property Description
    HBase TLS/SSL Server JKS Keystore File Location Path to the keystore file containing the server certificate and private key used for encrypted web UIs.
    HBase TLS/SSL Server JKS Keystore File Password Password for the server keystore file used for encrypted web UIs.
    HBase TLS/SSL Server JKS Keystore Key Password Password that protects the private key contained in the server keystore used for encrypted web UIs.
  7. Check the Web UI TLS/SSL Encryption Enabled property.
    Web UI TLS/SSL Encryption Enabled Enable TLS/SSL encryption for the HBase Master, RegionServer, Thrift Server, and REST Server web UIs.
  8. Click Save Changes to commit the changes.
  9. Restart the HBase service.

Configuring TLS/SSL for HBase REST Server

  1. Go to the HBase service
  2. Click the Configuration tab.
  3. Select Scope > HBASE (Service-Wide).
  4. Select > Security.
  5. In the Search field, type SSL to show the HBase SSL properties.
  6. Edit the following SSL properties according to your cluster configuration:
    HBase SSL Properties
    Property Description
    SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    SSL Server Keystore File Password Password for the server keystore file.
    SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.
  7. Check the Web UI SSL Encryption Enabled property.
    Web UI SSL Encryption Enabled Enable SSL encryption for the HBase Master, Region Server, Thrift Server, and REST Server web UIs.
  8. Click Save Changes.
  9. Restart the HBase service.