Configure TLS/SSL for YARN
If you enabled TLS/SSL for HDFS, you must also enable it for YARN.
If you enable TLS/SSL for HDFS, you must also enable it for YARN.
Cloudera recommends to enable Web UI authentication for YARN.
- In Cloudera Manager, select the YARN service.
- Click the Configuration tab.
- Search for TLS/SSL.
-
Find and edit the following properties according to your cluster
configuration:
Property Description Hadoop TLS/SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key. Hadoop TLS/SSL Server Keystore File Password Password for the server keystore file. Hadoop TLS/SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.
If you want to override the cluster-wide defaults set by the HDFS
properties, do the following:
-
Configure the following TLS/SSL client truststore properties for YARN.
Property Description TLS/SSL Client Truststore File Location Path to the client truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers. TLS/SSL Client Truststore File Password Password for the client truststore file.
If you want to enable the TSL/SSL for YARN Queue Manager, do the
following:
- In Cloudera Manager, select the QUEUE MANAGER service.
- Click the Configuration tab.
- Search for TSL/SSL.
- Select the Enable TLS/SSL for YARN Queue Manager Store checkbox to encrypt communication between clients and YARN Queue Manager Store .
-
Configure the following properties according to your cluster
configuration:
Property Description TLS/SSL Server JKS Keystore File Location Path to the JKS keystore file containing the server and private key. TLS/SSL Server JKS Keystore File Password Password for the JKS keystore file. - Select the Enable TLS/SSL for YARN Queue Manager Webapp checkbox to encrypt communication between clients and YARN Queue Manager Webapp.
-
Configure the following properties according to your cluster
configuration:
Property Description Webapp TLS/SSL Server JKS Keystore File Location Path to the JKS keystore file containing the server and private key. Webapp TLS/SSL Server JKS Keystore File Password Password for the Webapp JKS keystore file. Webapp TLS/SSL Client Trust Store File Path to the client JKS truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers. Webapp TLS/SSL Client Trust Store Password Password for the Webapp truststore file.
If you want to enable Web UI authentication for YARN, do the
following:
- Searh for web consoles.
- Find the Enable Authentication for HTTP Web-Consoles property.
-
Check the property to enable web UI authentication.
- Click Save Changes.
- Go back to the home page, by clicking the Cloudera Manager logo.
- Select the HDFS service.
- Click the Configuration tab.
- Search for Hadoop SSL Enabled.
-
Find and select the Hadoop SSL Enabled property.
The SSL communication for HDFS and YARN is enabled.
- Click Save Changes.
- Click the Stale Service Restart icon that is next to the service to invoke the cluster restart wizard.
- Click Restart Stale Services.
- Select Re-deploy client configuration.
- Click Restart Now.