Configure TLS/SSL for HDFS

Enabling TLS/SSL on HDFS is required before it can be enabled on YARN.

Enabling TLS/SSL on HDFS is required before it can be enabled on YARN.

Cloudera recommends you enable web UI authentication for the HDFS service. Web UI authentication uses SPNEGO. After enabling this, you cannot access the Hadoop web consoles without a valid Kerberos ticket and proper client-side configuration.

  1. In Cloudera Manager, select the HDFS service.
  2. Click the Configuration tab.
  3. Search for TLS/SSL.
  4. Find and edit the following properties according to you cluster configuration:
    Property Description
    Hadoop TLS/SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    Hadoop TLS/SSL Server Keystore File Password Password for the server keystore file.
    Hadoop TLS/SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.

If you are not using the default trustore, do the following:

  1. Configure TLS/SSL client trustore properties.
    Property Description
    Cluster-Wide Default TLS/SSL Client Truststore Location Path to the client truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers.
    Cluster-Wide Default TLS/SSL Client Truststore Password Password for the client truststore file.

If you want to enable web UI authentication for the HDFS service, do the following:

  1. Searh for web consoles.
  2. Find the Enable Authentication for HTTP Web-Consoles property.
  3. Check the property to enable web UI authentication.
  4. Click Save Changes.
  5. Configure TLS/SSL for YARN.