Configure TLS/SSL for YARN

If you enabled TLS/SSL for HDFS, you must also enable it for YARN.

If you enable TLS/SSL for HDFS, you must also enable it for YARN.

Cloudera recommends to enable Web UI authentication for YARN.

  1. In Cloudera Manager, select the YARN service.
  2. Click the Configuration tab.
  3. Search for TLS/SSL.
  4. Find and edit the following properties according to your cluster configuration:
    Property Description
    Hadoop TLS/SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    Hadoop TLS/SSL Server Keystore File Password Password for the server keystore file.
    Hadoop TLS/SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.

If you want to override the cluster-wide defaults set by the HDFS properties, do the following:

  1. Configure the following TLS/SSL client truststore properties for YARN.
    Property Description
    TLS/SSL Client Truststore File Location Path to the client truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers.
    TLS/SSL Client Truststore File Password Password for the client truststore file.

If you want to enable the TSL/SSL for YARN Queue Manager, do the following:

  1. In Cloudera Manager, select the QUEUE MANAGER service.
  2. Click the Configuration tab.
  3. Search for TSL/SSL.
  4. Select the Enable TLS/SSL for YARN Queue Manager Store checkbox to encrypt communication between clients and YARN Queue Manager Store .
  5. Configure the following properties according to your cluster configuration:
    Property Description
    TLS/SSL Server JKS Keystore File Location Path to the JKS keystore file containing the server and private key.
    TLS/SSL Server JKS Keystore File Password Password for the JKS keystore file.
  6. Select the Enable TLS/SSL for YARN Queue Manager Webapp checkbox to encrypt communication between clients and YARN Queue Manager Webapp.
  7. Configure the following properties according to your cluster configuration:
    Property Description
    Webapp TLS/SSL Server JKS Keystore File Location Path to the JKS keystore file containing the server and private key.
    Webapp TLS/SSL Server JKS Keystore File Password Password for the Webapp JKS keystore file.
    Webapp TLS/SSL Client Trust Store File Path to the client JKS truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers.
    Webapp TLS/SSL Client Trust Store Password Password for the Webapp truststore file.

If you want to enable Web UI authentication for YARN, do the following:

  1. Search for web consoles.
  2. Find the Enable Authentication for HTTP Web-Consoles property.
  3. Check the property to enable web UI authentication.
  4. Click Save Changes.
  5. Go back to the home page, by clicking the Cloudera Manager logo.
  6. Select the HDFS service.
  7. Click the Configuration tab.
  8. Search for Hadoop SSL Enabled.
  9. Find and select the Hadoop SSL Enabled property.
    The SSL communication for HDFS and YARN is enabled.
  10. Click Save Changes.
  11. Click the Stale Service Restart icon that is next to the service to invoke the cluster restart wizard.
  12. Click Restart Stale Services.
  13. Select Re-deploy client configuration.
  14. Click Restart Now.