This is the documentation for Cloudera 5.5.x. Documentation for other versions is available at Cloudera Documentation.

Configuring TLS/SSL Encryption for CDH Services


  • Cloudera recommends securing a cluster using Kerberos authentication before enabling encryption such as TLS/SSL on a cluster. If you enable TLS/SSL for a cluster that does not already have Kerberos authentication configured, a warning will be displayed.
  • The following sections assume that you have created all the certificates required for TLS/SSL communication. If not, for information on how to do this, see Creating Certificates.
  • The certificates and keys to be deployed in your cluster should be organized into the appropriate set of keystores and truststores. For more information, see Creating Java Keystores and Truststores.
  Note: Cloudera Manager and CDH components support TLS 1.0, TLS 1.1, and TLS 1.2, but not SSL 3.0. References to SSL only continue because of its widespread use in technical jargon.

Hadoop Services as TLS/SSL Servers and Clients

Hadoop services differ in their use of TLS/SSL as follows:
  • HDFS, MapReduce, and YARN daemons act as both TLS/SSL servers and clients.
  • HBase daemons act as TLS/SSL servers only.
  • Oozie daemons act as TLS/SSL servers only.
  • Hue acts as an TLS/SSL client to all of the above.
Daemons that act as TLS/SSL servers load the keystores when starting up. When a client connects to an TLS/SSL server daemon, the server transmits the certificate loaded at startup time to the client, which then uses its truststore to validate the server’s certificate.

Compatible Certificate Formats for Hadoop Components

Component Compatible Certificate Format
HDFS Java Keystore
MapReduce Java Keystore
YARN Java Keystore
Hive (for communication between Hive clients and HiveServer2) Java Keystore
HBase Java Keystore
Impala PEM
Oozie Java Keystore
Page generated November 23, 2015.