Enable TLS/SSL for HiveServer

You can secure client-server communications using symmetric-key encryption in the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocol. To encrypt data exchanged between HiveServer and its clients, you can use Cloudera Manager to configure TLS/SSL.

  • HiveServer has the necessary server key, certificate, keystore, and trust store set up on the host system.
  • The hostname variable ($(hostname -f)-server.jks) was used with Java keytool commands to create keystore, as shown in this example:
    $ sudo keytool -genkeypair -alias $(hostname -f)-server -keyalg RSA -keystore \
        /opt/cloudera/security/pki/$(hostname -f)-server.jks -keysize 2048 -dname \
        "CN=$(hostname -f),OU=dept-name-optional,O=company-name,L=city,ST=state,C=two-digit-nation" \
        -storepass password -keypass password
  1. In Cloudera Manager, navigate to Clusters > HIVE_ON_TEZ-1 > Configuration.
  2. In Filters, select HIVE_ON_TEZ-1 for the scope.
  3. Select Security for the category.
  4. In Enable TLS/SSL for HiveServer2, check HIVE_ON_TEZ-1.
  5. Enter the path to the Java keystore on the host system.
    /opt/cloudera/security/pki/server-name-server.jks
  6. Enter the password for the keystore you used on the Java keytool command-line when the key and keystore were created.
    The password for the keystore must match the password for the key.
  7. Enter the path to the Java trust store on the host system.
    Cloudera clusters are typically configured to use the alternative trust store, jssecacerts, set up at $JAVA_HOME/jre/lib/security/jssecacerts.
  8. Click Save Changes.
  9. Restart the Hive service.
  10. Construct a connection string for encrypting communications using TLS/SSL.
    jdbc:hive2://#<host>:#<port>/#<dbName>;ssl=true;sslTrustStore=#<ssl_truststore_path>;trustStorePassword=#<truststore_password>;#<otherSessionConfs>?#<hiveConfs>#<hiveVars>