Cloudera Docs

Creating a truststore file in PEM format

You must create the Data Explorer Truststore by consolidating certificates of all SSL-enabled servers (or a single CA Certificate chain) that Data Explorer communicates with into one file. This generally includes certificates of all the Oozie, HDFS, MapReduce, and YARN daemons, and any other SSL-enabled services.

Server certificates are stored in Java KeyStore (JKS) format. The Data Explorer Truststore must be in the Privacy Enhanced Mail (PEM) format whereas other services use the JKS format by default. To create the Data Explorer truststore, extract each certificate from Hadoop's Java Keystore with the Java keytool, convert the certificate to PEM format with the OpenSSL.org openssl tool, and then add it to the Data Explorer truststore:

  1. Extract the certificate from the keystore of each TLS/SSL-enabled server with which Data Explorer communicates. For example, if you have hadoop-server.keystore that contains a server certificate, foo-1.example.com with a password of example123, you would use the following keytool command: 
    keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.example.com -storepass example123 -file foo-1.cert
  2. Convert each certificate into a PEM file. Here is what the openssl tool command looks like for the foo-1.cert file that was extracted in Step 1: 
    openssl x509 -inform der -in foo-1.cert > foo-1.pem
  3. Concatenate all the PEM certificates you extracted and converted from the server truststore into one PEM file: 
    cat foo-1.pem foo-2.pem foo-n.pem ... > hue_truststore.pem
    Concatenate the certificate files in the following order: SSL certificate followed by intermediate certificate, followed by the root CA certificate.
  4. Log in to Cloudera Manager as an Administrator.
  5. Go to Clusters > Hue > Configuration and add the following line in the Hue Service Environment Advanced Configuration Snippet (Safety Valve) field: 
    ​REQUESTS_CA_BUNDLE=[***PATH-TO-HUETRUST.PEM-FIL E***]
  6. Click Save Changes.
  7. Restart the Data Explorer service.