This is the documentation for Cloudera Manager 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Configuring SSL for Hue

Hue as an SSL Client

Hue acts as an SSL client when communicating with Oozie, HBase and core Hadoop services. This means it may have to authenticate authenticate HDFS, MapReduce, and YARN daemons, as well as the HBase Thrift Server, and will need their certificates (or the relevant CA certificate) in its truststore.

Deploying the Hue Truststore:

You can create the Hue truststore by consolidating certificates of all SSL-enabled servers (or a single CA certificate chain) that Hue communicates with into one file. This will generally include certificates of all the HDFS, MapReduce and YARN daemons, and other SSL-enabled services such as Oozie..

The Hue truststore must be in PEM format whereas other services use JKS format by default. Hence, to populate the Hue truststore, you will need to extract the certificates from Hadoop's JKS keystores and convert them to PEM format. The following example assumes that hadoop-server.keystore contains the server certificate identified by alias foo-1.example.com and password example123.
$ keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.example.com \
        -storepass example123 -file foo-1.cert
$ openssl x509 -inform der -in foo-1.cert > foo-1.pem
Once you've done this for each host in the cluster, you can concatenate the PEM files into one PEM file that can serve as the Hue truststore.
cat foo-1.pem foo-2.pem ... > huetrust.pem
  Note: Ensure the final PEM truststore is deployed in a location that is accessible by the Hue service.
In Cloudera Manager, set REQUESTS_CA_BUNDLE to the path of the consolidated PEM file, huetrust.pem created above. To do this:
  1. Open the Cloudera Manager Admin Console and navigate to the Hue service.
  2. Click Configuration.
  3. In the Search field, type Hue Service Environment to show the Hue Service Environment Advanced Configuration Snippet (Safety Valve) property (found under the Service-Wide > Advanced category).
  4. Click the Value column to enable editing, and add the REQUESTS_CA_BUNDLE property set to the path of the Hue truststore in PEM format.
  5. Click Save Changes.
  6. Restart the Hue service.

Hue as an SSL Server

Perform the following steps to enable SSL for the Hue web server.

  1. Open the Cloudera Manager Admin Console and navigate to the Hue service.
  2. Click Configuration.
  3. In the Search field, type SSL to show the Hue SSL properties (found under the Hue Server Default Group category).
  4. Edit the following SSL properties according to your cluster configuration.
    Table 1. Hue SSL Properties
    Property Description
    Enable HTTPS Enable HTTPS for the Hue web server.
    Local Path to SSL Certificate Path to the SSL certificate on the host running the Hue web server.
    Local Path to SSL Private Key Path to the SSL private key on the host running the Hue web server. Hue only supports a key without a passphrase.
  5. Click Save Changes.
  6. Restart the Hue service.
Page generated September 3, 2015.