Configure ZooKeeper TLS/SSL using Cloudera Manager
TLS/SSL encryption between the ZooKeeper client and the ZooKeeper server and within the ZooKeeper Quorum is supported.
- In each ZooKeeper server process the same ZooKeeper Server KeyStore / TrustStore configuration is used for both QuorumSSL and ClientSSL.
- HTTPS for the ZooKeeper REST Admin Server is still not supported. Even if you enable SSL for ZooKeeper, the AdminServer will still use HTTP only.
TLS/SSL encryption is automatically enabled when AutoTLS is enabled. As a result it is enabled by default in Data Hub cluster templates.
You can disable, enable and configure ZooKeeper TLS/SSL manually using Cloudera Manager:
- In Cloudera Manager, select the ZooKeeper service.
- Click the Configuration tab.
Find the Enable TLS/SSL for ZooKeeper property and
select it to enable TLS/SSL for ZooKeeper.
When TLS/SSL for ZooKeeper is enabled, two ZooKeeper features get enabled:
- QuorumSSL: the ZooKeeper servers are talking to each other using secure connection.
- ClientSSL: the ZooKeeper clients are using secure connection when talking to the ZooKeeper server.
Find the Secure Client Port property and change the port
number if necessary.
When ClientSSL is enabled, a new secure port is opened on the ZooKeeper server which handles the SSL connections. Its default value is 2182.
The old port (default: 2181) will still be available for unsecured connections. Unsecure port cannot be disabled in Cloudera Manager, because most components cannot support ZooKeeper TLS/SSL yet.
- Click Save Changes.