Configure TLS encryption manually for Phoenix Query Server
You can encrypt communication between clients and the Phoenix Query Server using Transport Layer Security (TLS) formerly known as Secure Socket Layer (SSL). You must follow these steps to manually configure TLS for Phoenix Query Server.
- Keystores containing certificates bound to the appropriate domain names must be accessible on all hosts running the Phoenix Query Server role of the Phoenix service.
- Keystores for Phoenix must be owned by the phoenix group, and have 0440 file permissions (that is, the file must be readable by the owner and group).
- Absolute paths to the keystore and truststore files must be specified. These settings apply to all hosts on which daemon roles of the Phoenix service run. Therefore, the paths you choose must be valid on all hosts.
- The Cloudera Manager version must support the TLS/SSL configuration for Phoenix
at the service level. Ensure you specify absolute paths to the keystore and
truststore files. These settings apply to all hosts on which daemon roles of the
service in question run. Therefore, the paths you choose must be valid on all
An implication of this is that the keystore file names for a given service must be the same on all hosts. If, for example, you have obtained separate certificates for Phoenix daemons on hosts
node2.example.com, you might have chosen to store these certificates in files called
phoenix-node2.keystore(respectively). When deploying these keystores, you must give them both the same name on the target host — for example,
- In Cloudera Manager, select the Phoenix service.
- Click the Configuration tab.
- Use the Scope / Query Server filter.
- Select Enable TLS/SSL for Query Server.
Edit the following TLS/SSL properties according to your configuration.
Table 1. Property Description Query Server TLS/SSL Server JKS Keystore File Location The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Query Server is acting as a TLS/SSL server. The keystore must be in JKS format. Query Server TLS/SSL Server JKS Keystore File Password The password for the Query Server JKS keystore file. Query Server TLS/SSL Client Trust Store File The location on disk of the truststore file, in .jks format, used to confirm the authenticity of TLS/SSL servers to which the Query Server might connect. This is used when Query Server is the client in a TLS/SSL connection. This truststore file must contain the certificate(s) used to sign the connected service(s). If this parameter is not specified, the default list of known certificate authorities is used instead. Query Server TLS/SSL Client Trust Store Password The password for the Query Server TLS/SSL Certificate Trust Store File. This password is not mandatory to access the truststore; this field is optional. This password provides optional integrity checking of the file. The contents of truststores are certificates, and certificates are public information.
- Click Save Changes.
- Restart the Phoenix service.