Short Description:
Steps to enable HTTPS (or SSL) for Web HDFSArticle
Here is complete steps to enable HTTPS for web HDFS.
Step1 .
First get the keystore to use in HDFS configurations.
Follow below steps in case cert is getting signed by CA
- 1. Generate a JKS
- keytool -genkey -keyalg RSA -alias c6401 -keystore /tmp/keystore.jks -storepass bigdata -validity 360 -keysize 2048
- 2. Generate CSR from above keystore
- keytool -certreq -alias c6401 -keyalg RSA -file /tmp/c6401.csr -keystore /tmp/keystore.jks -storepass bigdata
- 3. Now get the singed cert from CA - file name is /tmp/c6401.crt
- 4. Import the root cert to JKS first. (Ignore if it already present)
- keytool -import -alias root -file /tmp/ca.crt -keystore /tmp/keystore.jks
- Note: here ca.crt is root cert
- 5. Repeat step4 for intermediate cert if there is any.
- 6. Import signed cert into JKS
- keytool -import -alias c6401 -file /tmp/c6401.crt -keystore /tmp/keystore.jks -storepass bigdata
- 7. Import root to trust store (Here it creates new truststore.jks )
- keytool -import -alias root -file /tmp/ca.crt -keystore /tmp/truststore.jks -storepass bigdata
- 8. Import intermediate cert (if there is any) to trust store (similar to step 7)
If it is self signed cert
- 1. Generate a JKS
- keytool -genkey -keyalg RSA -alias c6401 -keystore /tmp/keystore.jks -storepass bigdata -validity 360 -keysize 2048
- Note: Use keystore.jks for Truststore configurations as well.
Follow step1 for every master component/host.
Step2:
Login to Ambari and configure/add below properties in core-site.xml
- hadoop.ssl.require.client.cert=false
- hadoop.ssl.hostname.verifier=DEFAULT
- hadoop.ssl.keystores.factory.class=org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
- hadoop.ssl.server.conf=ssl-server.xml
- hadoop.ssl.client.conf=ssl-client.xml
Step3:
Set the following properties (or add the properties if required) in hdfs-site.xml:
- dfs.http.policy=HTTPS_ONLY
- dfs.client.https.need-auth=false
- dfs.datanode.https.address=0.0.0.0:50475
- dfs.namenode.https-address=NN:50470
- Note: you can also set dfs.http.policy=HTTP_AND_HTTPS
Step4:
Update below configurations under "Advanced ssl-server" (ssl-server.xml)
- ssl.server.truststore.location=/tmp/truststore.jks
- ssl.server.truststore.password=bigdata
- ssl.server.truststore.type=jks
- ssl.server.keystore.location=/tmp/keystore.jks
- ssl.server.keystore.password=bigdata
- ssl.server.keystore.keypassword=bigdata
- ssl.server.keystore.type=jks
Note: create separate keystore file for each NAMENODE host with the file as as keystore.jks and have it under /tmp/
Step5:
Update below configurations under "Advanced ssl-client" (ssl-client.xml)
- ssl.client.truststore.location=/tmp/truststore.jks
- ssl.client.truststore.password=bigdata
- ssl.client.truststore.type=jks
ssl.client.keystore.location=/tmp/keystore.jks
ssl.client.keystore.password=bigdata
ssl.client.keystore.keypassword=bigdata
ssl.client.keystore.type=jks
Steps6:
Re-start HDFS service
Step7:
Make sure you import the CA root to Ambari-server by running "ambari-server setup-security"
Step8:
You should be able to access UI in https mode on 50470 port.
Note: When you enable the HTTPS for HDFS, Journal node and NN starts in HTTPS mode, check for journal node and name node logs for any errors. copy keystore.jks files for all Namenodes and Journal nodes and Truststore files to all the HDFS nodes.
More articles
*. To enable HTTPS for MAPREDUCE2 and YARN - https://community.hortonworks.com/articles/52876/enable-https-for-yarn-and-mapreduce2.html
*. To enable HTTPS for HBASE - https://community.hortonworks.com/articles/51165/enable-httpsssl-for-hbase-master-ui.html