This is the documentation for Cloudera 5.2.x.
Documentation for other versions is available at Cloudera Documentation.

Configuring SSL Encryption for Hadoop Services

This section describes how to configure SSL encryption for CDH services (HDFS, MapReduce, YARN, HBase, Hue and Oozie) using Cloudera Manager.

Prerequisites

  • Cloudera recommends securing a cluster using Kerberos authentication before enabling SSL on a cluster. If you enable SSL for a cluster that does not already have Kerberos authentication configured, a warning will be displayed.
  • The following sections assume that you have created all the certificates required for SSL communication. If not, for information on how to do this, see Creating Certificates.
  • The certificates and keys to be deployed in your cluster should be organized into the appropriate set of keystores and truststores. For more information, see Creating Java Keystores and Truststores.

Hadoop Services as SSL Servers and Clients

Hadoop services differ in their use of SSL as follows:
  • HDFS, MapReduce, and YARN daemons act as both SSL servers and clients.
  • HBase daemons act as SSL servers only.
  • Oozie daemons act as SSL servers only.
  • Hue acts as an SSL client to all of the above.
Daemons that act as SSL servers load the keystores when starting up. When a client connects to an SSL server daemon, the server transmits the certificate loaded at startup time to the client, which then uses its truststore to validate the server’s certificate.

Continue reading: