Overview:

       This blog summarizes IOP 4.2 components that support SSL along with configurations necessary to enable ssl for each service. Each service will expect SSL certificate to be installed on the host. Some basic informartion on SSL certificates is included here.

     SSL certificates are used by servers and clients to establish trust between them. There are 2 ways this SSL authentication  works:
1. One-way SSL: the certificates need to be created only on the server and added to clients’s trustore.
2. 2-way SSL (mutual authentication): certificates, keystores and truststores will be created both on server and client and certificates added to each others truststore.

ssl

SSL Certificates can be generated as self-signed for test or development environments or CA signed certificates either through Third Party or  internal CA.
Steps to create self-signed SSL Certificates are as follows:
1. ¬óGenerate key pair and Certificate Signing Request (CSR) using tools like openssl or keytool.
¬óopenssl req -new -newkey rsa:2048 -nodes -out <node>.csr -keyout <private_key>.key

2. ¬óCreated signed certificates using CSR and public key:
openssl x509 -req -days 365 -in <node>.csr -signkey <private_key>.key -out  <node>.crt

3. ¬óImport generated signed certificates to keystore and truststore on server and client.
keytool -import -noprompt -alias <node> -file <node>.jks -keystore <Truststore_location> -storepass <Truststore_Password>

In case of  CA Certificate, step 1 remains the same.  CA (internal or thrid-party) will use this CSR to generate signed certificate. Based on the individual CA, the certificate can be downloaded and installed in the keystore.

 

SSL:

By default, SSL is disabled out-of-the-box and can be enabled as needed. .In case of Bi-Cloud 4.2 for example, SSL is available for all outward facing communications like Ambari Web UI,HiveServer2, Knox, and value adds like BigSQL,Big R. If Ambari is being used to manage services then through ambari web ui, configurations can be changed to enable SSL. Detailed configurations required to enable SSL for each service is included later in this blog.  The following table summarizes SSL support available in IOP 4.2.

Services Components
Hadoop WebHDFS
Namenode UI
Namenode-Datanode RPC
Mapreduce Mapreduce shuffle
JobHistory UI
Yarn ResourceManager Ui
NodeManager UI
HBase WebHbase
HBase REST API
Hive HiveServer2
Oozie Oozie Web UI
Spark Thriftserver UI
Kafka Broker-Producer
Knox Hadoop  REST Clients
Knox Gateway server
Ranger Ranger Public REST API
Ranger Admin UI
Ranger UserSync
Ranger KMS Ranger KMS REST API
Ranger KMS UI
Hadoop KMS KMS REST API
Ambari Ambari Web UI
Ambari Server-Agent

 

Hadoop components:

Hadoop SSL Keystore management, which simplifies ssl setup for Hadoop, MapReduce and Yarn services, uses configuration files to enable ssl. ssl-server.xml and ssl-client.xml is used to define common keystore and truststore locations for all nodes while <service>-site.xml  is used to enable ssl. The configurations files need to be copied on all nodes.  The SSL certificates either self-signed or CA signed need to be installed on each node and imported into the keystore and truststores.

Detailed configuration changes required for setting up SSL on Hadoop Components like HDFS, mapreduce and Yarn are as as follows:

ssl-server/ssl-client.xml  Description
ssl.server.keystore.type JKS
ssl.server.keystore.location Keystore location
ssl.server.keystore.password Keystore password
ssl.server truststore.type JKS
ssl.server.truststore.location Truststore location
ssl server.truststore.password Truststore password

 

Core-site.xml  Description
hadoop.ssl.require.client.cert false
hadoop.ssl.hostname.verifier default
hadoop.ssl.keystores.factory.class org.apache.hadoop.security.
ssl.FileBasedKeyStoresFactory
hadoop.ssl.server.conf ssl-server.xml
hadoop.ssl.client.conf ssl-client.xml

 

hdfs-site.xml  Description
dfs.http.policy HTTPS_ONLY
dfs.datanode.https.address <host>:<port>
hadoop.ssl.server.conf ssl-server.xml
hadoop.ssl.client.conf ssl-client.xml

 

mapred-site.xml  Description
mapreduce.jobhistory.http.policy HTTPS_ONLY
mapreduce.jobhistory.webapp.https.address <host>:<port>

 

yarn-site.xml  Description
yarn.http.policy HTTPS_ONLY
yarn.resourcemanager.webapp.https.address <host>:<port>
yarn.nodemanager.webapp.https.address <host>:<port>

 

Mapreduce shuffle:

To allow encryption during mapreduce shuffle, set the following configuration.

mapred-site.xml  Description
shuffle.ssl.enabled True

Note: In case of BI-Cloud 4.2, rather than using Hadoop SSL Keystore management, Java SSL Key management is used. In this case, SSL server and client.xml need not be maintained.

HBase:

HBase uses Java keystore to manage the certificates. Following table lists parameters that need to be set to enable SSL.

hbase-site.xml  Description
hbase.rest.ssl.enabled True
hbase.rest.ssl.keystore.store Location to keystore
hbase.rest.ssl.keystore.password Truststore password
hbase.rest.ssl.keystore.keypassword key password

Hive:

HiveServer2  uses Java keystore to manage the certificates. Following table lists parameters that need to be set to enable SSL. In addition Hive client like beeline or jdbc needs to be provided with same parameters that are defined in the hive-site.xml in the connection string.

eg: ¬ójdbc:hive2://<host>:<port>/<database>;ssl=true;sslTrustStore=<path-to-truststore>;trustStorePassword=<password>

hive-site.xml  Description
hive.server2.use.ssl True
hive.server2.keystore.path Truststore location
hive.server2.keystore.password Truststore password

Oozie:

¬óTo set up SSL for Oozie Web UI, add following environment variables and then run the command :¬† ¬óoozie-setup.sh prepare-war ‚Äďsecure

oozie-env.xml  Description
OOZIE_HTTPS_PORT <https_port>
OOZIE_HTTPS_KEYSTORE_FILE Truststore location
OOZIE_HTTPS_KEYSTORE_PASS Truststore password

Spark:

spark-site.xml  Description
spark.ssl.enabled True
spark.ssl.keyStore Location to keystore
spark.ssl.keyStorePassword Keystore password
spark.ssl.trustStore Truststore location
spark.ssl.trustStorePassword TrustStore password

Ranger:

Ranger Admin, Usersync and plugin support SSL and configurations are described in the table below. External URL needs to change to https for accessing Ranger Admin UI.

Ranger-admin-site.xml  Description
ranger.service.https.attrib.ssl.enabled True
ranger.https.attrib.keystore.file Location to keystore
ranger.service.https.attrib.keystore.pass Keystore password
ranger.service.https.port port

 

ranger-ugsync-site.xml  Description
ranger.usersync.truststore.file Truststore location
ranger.usersync.truststore.password Truststore password

 

To enable SSL for Ranger plugins, in addition to making changes to configurations below, on Ranger PolicyMgr UI  service repo add CN name of the keystore as the value for Common Name For Certificate.

ranger-<service>-policymgr-ssl.xml  Description
xasecure.policymgr.clientssl.keystore Location to keystore
xasecure.policymgr.clientssl.keystore.password Keystore password
xasecure.policymgr.clientssl.truststore Location of truststore
xasecure.policymgr.clientssl.truststore.password Truststore password

Ranger KMS:

Similar to Ranger Plugins, on Ranger PolicyMgr UI  service repo add CN name of the keystore as the value for Common Name For Certificate.

ranger-kms-site.xml  Description
ranger.service.https.attrib.ssl.enabled True
ranger.service.https.attrib.keystore.file Location to keystore
ranger.service.https.attrib.keystore.pass Keystore password
ranger.service.https.port port
ranger.https.attrib.keystore.file KMS Keystore Location

Hadoop KMS:

Set the following properties to allow SSL connection with Hadoop KMS in /etc/hadoop/kms-env.sh

kms-env.sh  Description
KMS_SSL_KEYSTORE_FILE Truststore location
KMS_SSL_KEYSTORE_PASS Truststore password

Knox:

Knox generates self signed certificate and uses keystore gateway.jks for default installation. If Knox is used as proxy server to access REST API and web UI for other services,Knox topology files need to point to correct https address. In addition, to be able for the client to trust Knox, the gateway certificates will have to be iImported from /usr/iop/current/knox-server/data/security/keystores/gateway.jks to client truststore.

Ambari:

Ambari Web UI supports SSL and can be setup by running  ambari-server setup-security command via command line. This command has options that defines https port, certificate path and key to be used. You can also setup truststore using this command that allows access to ambari views. Data encryption between ambari server and agent can be defined in ambari.properties with parameter —security.server.two_way_ssl set to true.

1 comment on"Overview of SSL support in IOP 4.2"

  1. Hi,
    Can we established connection to Hive or through Knox using mutual SSL?
    Thanks

Join The Discussion

Your email address will not be published. Required fields are marked *