Configuring TLS/SSL encryption manually for Ozone HttpFS gateway
You can configure TLS/SSL encryption manually for Ozone HttpFS gateway using the below procedure.
- The keystores containing certificates that are bound to the proper domain names are accessible on all the hosts on which at least one Ozone role instance is running.
hdfsuser has read permissions to the keystore files for Ozone.
- You must specify absolute paths to the keystore file. These settings apply to all hosts on which the various Ozone role instances run. Therefore, the paths that you specify must be valid on all the hosts. In addition, the keystore file names for Ozone must be the same on all hosts.
- The Ozone HttpFS gateway is only available from the Ozone Parcel 2.0 and from
the Cloudera Manager version 7.10.1. For more information on other supported
gateways, see Configuring TLS/SSL encryption manually for
Consider an example where you have separate certificates for the Ozone role instances on hosts
node2.example.com, and you have chosen to store the certificates in files with names
ozone-node2.jksrespectively. When deploying these keystores, you must provide them both with the same name on the target host, for example,
- In Cloudera Manager, go to .
- Search for tls/ssl.
Enter the TLS/SSL properties for the various Ozone roles.
Provide the values for the properties corresponding to the following fields on the Ozone configuration page:
- Enable TLS/SSL for HttpFS Gateway
- HttpFS Gateway TLS/SSL Server JKS Keystore File Location
- HttpFS Gateway TLS/SSL Server JKS Keystore File Password
- HttpFS Gateway TLS/SSL Server JKS Keystore Key Password
- Click Save Changes and restart the Ozone service.