Cloudera Docs

Configuring TLS/SSL encryption manually for Ozone HttpFS gateway

You can configure TLS/SSL encryption manually for Ozone HttpFS gateway using Cloudera Manager.

  • The keystores containing certificates that are bound to the proper domain names are accessible on all the hosts on which at least one Ozone role instance is running.
  • The hdfs user has read permissions to the keystore files for Ozone.
  • You must specify absolute paths to the keystore file. These settings apply to all hosts on which the various Ozone role instances run. Therefore, the paths that you specify must be valid on all the hosts. In addition, the keystore file names for Ozone must be the same on all hosts.
  • The Ozone HttpFS gateway is only available from the Ozone 718.2.0 parcel and from the Cloudera Manager version 7.10.1. For more information on other supported gateways, see Configuring TLS/SSL encryption manually for Ozone.

    Consider an example where you have separate certificates for the Ozone role instances on hosts node1.example.com and node2.example.com, and you have chosen to store the certificates in files with names ozone-node1.jks and ozone-node2.jks respectively. When deploying these keystores, you must provide them both with the same name on the target host, for example, ozone.jks.

  1. In Cloudera Manager, go to Ozone > Configuration.
  2. Search for tls/ssl.
  3. Enter the TLS/SSL properties for the various Ozone roles.
    Provide the values for the properties corresponding to the following fields on the Ozone configuration page:
    • Enable TLS/SSL for HttpFS Gateway
    • HttpFS Gateway TLS/SSL Server JKS Keystore File Location
    • HttpFS Gateway TLS/SSL Server JKS Keystore File Password
    • HttpFS Gateway TLS/SSL Server JKS Keystore Key Password
  4. Click Save Changes and restart the Ozone service.