Enabling Hue as a TLS/SSL server using Cloudera Manager

You can use Cloudera Manager to enable TLS/SSL for the Hue server.

  1. Log in to Cloudera Manager as an Administrator.
  2. Go to Clusters > Hue service > Configuration and filter by SCOPE > Hue Server and CATEGORY > Security.
  3. Edit the following Hue TLS/SSL properties according to your cluster configuration:
    • Enable TLS/SSL for Hue: Select the check box to encrypt communication between clients and Hue with TLS/SSL.
    • Hue TLS/SSL Server Certificate File (PEM Format) ssl_certificate: Specifies the path to the TLS/SSL certificate on the host that is running the Hue web server.

      Ensure that you include the complete chain in the ssl_certificate PEM file.

      The order of the certificates should be as follows from the top to bottom: server, intermediate, root.

      If there are multiple intermediate CA certificates, then you must add them in the correct order. For example:
      Subject: CN=Hue Server Certificate
      Issuer: CN=Intermediate 2
        Subject: CN=Intermediate 2
        Issuer: CN=Intermediate 1
          Subject: CN=Intermediate 1
          Issuer: CN=RootCA
            Subject: CN=RootCA
            Issuer: CN=RootCA
    • Hue TLS/SSL Server Private Key File (PEM Format) ssl_private_key: Specifies the path to the TLS/SSL private key on the host running the Hue web server.
    • Hue TLS/SSL Private Key Password ssl_password: Specifies the password for the private key in the Hue TLS/SSL Server Certificate and Private Key file.
    • Hue TLS/SSL Server CA Certificate (PEM Format) ssl_cacerts: Specifies the path to the TLS/SSL certificate authority root certificate on the host that is running the Hue web server.
  4. Add the path to the certificate chain PEM file in [desktop] section of the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field:
  5. Click Save Changes.
  6. Select Actions > Restart to restart the Hue service.
Change the permissions for Hue to read the certificates after you have enabled TLS/SSL as follows: