Configuring TLS/SSL encryption manually for Ozone HttpFS gateway
You can configure TLS/SSL encryption manually for Ozone HttpFS gateway using Cloudera Manager.
- The keystores containing certificates that are bound to the proper domain names are accessible on all the hosts on which at least one Ozone role instance is running.
- The
hdfs
user has read permissions to the keystore files for Ozone. - You must specify absolute paths to the keystore file. These settings apply to all hosts on which the various Ozone role instances run. Therefore, the paths that you specify must be valid on all the hosts. In addition, the keystore file names for Ozone must be the same on all hosts.
- The Ozone HttpFS gateway is only available from the Ozone 718.2.0 parcel and
from the Cloudera Manager version 7.10.1. For more information on other
supported gateways, see Configuring TLS/SSL encryption manually for
Ozone.
Consider an example where you have separate certificates for the Ozone role instances on hosts
node1.example.com
andnode2.example.com
, and you have chosen to store the certificates in files with namesozone-node1.jks
andozone-node2.jks
respectively. When deploying these keystores, you must provide them both with the same name on the target host, for example,ozone.jks
.