Creating a truststore file in PEM format
You must create the Hue Truststore by consolidating certificates of all SSL-enabled servers (or a single CA Certificate chain) that Hue communicates with into one file. This generally includes certificates of all the Oozie, HDFS, MapReduce, and YARN daemons, and any other SSL-enabled services.
Server certificates are stored in Java KeyStore (JKS) format. The Hue Truststore must be in
the Privacy Enhanced Mail (PEM) format whereas other services use the JKS format by default.
To create the Hue truststore, extract each certificate from Hadoop's Java Keystore with the
keytool, convert the certificate to PEM format with the OpenSSL.org
openssl tool, and then add it to the Hue truststore:
Extract the certificate from the keystore of each TLS/SSL-enabled server with
which Hue communicates. For example, if you have
hadoop-server.keystorethat contains a server certificate,
foo-1.example.comwith a password of
example123, you would use the following
keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.example.com -storepass example123 -file foo-1.cert
Convert each certificate into a PEM file. Here is what the
openssltool command looks like for the
foo-1.certfile that was extracted in Step 1:
openssl x509 -inform der -in foo-1.cert > foo-1.pem
Concatenate all the PEM certificates you extracted and converted from the server
truststore into one PEM file:
cat foo-1.pem foo-2.pem foo-n.pem ... > hue_truststore.pemConcatenate the certificate files in the following order: SSL certificate followed by intermediate certificate, followed by the root CA certificate.
- Log in to Cloudera Manager as an Administrator.
Go to Hue Service Environment
Advanced Configuration Snippet (Safety Valve) field:
and add the following line in the
- Click Save Changes.
- Restart the Hue service.