Configuring TLS/SSL for HttpFS

Using Cloudera Manager

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

The steps for configuring and enabling TLS/SSL for HttpFS using Cloudera Manager are as follows:
  1. Go to the HDFS service
  2. Click the Configuration tab.
  3. Select Scope > HttpFS.
  4. Select > Security.
  5. Edit the following TLS/SSL properties according to your cluster configuration:
    HttpFS TLS/SSL Properties
    Property Description
    Use TLS/SSL Use TLS/SSL for HttpFS.
    HttpFS Keystore File Location of the keystore file used by the HttpFS role for TLS/SSL.

    Default: /var/run/hadoop-httpfs/.keystore. Note that the default location for the keystore file is on non-persistent disk.

    HttpFS Keystore Password Password of the keystore used by the HttpFS role for TLS/SSL.

    If the keystore password has a percent sign, it must be escaped. For example, for a password that is pass%word, use pass%%word.

    HttpFS TLS/SSL Certificate Trust Store File The location on disk of the truststore, in .jks format, used to confirm the authenticity of TLS/SSL servers that HttpFS might connect to. This is used when HttpFS is the client in a TLS/SSL connection.
    HttpFS TLS/SSL Certificate Trust Store Password The password for the HttpFS TLS/SSL Certificate Trust Store File. This password is not required to access the truststore; this field can be left blank.

    If the truststore password has a percent sign, it must be escaped. For example, for a password that is pass%word, use pass%%word.

  6. Click Save Changes.
  7. Restart the HDFS service.

Connect to the HttpFS Web UI using TLS/SSL (HTTPS)

Use https://<httpfs_server_hostname>:14000/webhdfs/v1/, though most browsers should automatically redirect you if you use http://<httpfs_server_hostname>:14000/webhdfs/v1/

Using the Command Line

Configure the HttpFS Server to use TLS/SSL (HTTPS)
  1. Stop HttpFS by running
    sudo /sbin/service hadoop-httpfs stop
  2. To enable TLS/SSL, change which configuration the HttpFS server should work with using the alternatives command.
    For RHEL systems, to use TLS/SSL:
    alternatives --set hadoop-httpfs-tomcat-conf /etc/hadoop-httpfs/tomcat-conf.https
  3. Start HttpFS by running
    sudo /sbin/service hadoop-httpfs start

Connect to the HttpFS Web UI using TLS/SSL (HTTPS)

Use https://<httpfs_server_hostname>:14000/webhdfs/v1/, though most browsers should automatically redirect you if you use http://<httpfs_server_hostname>:14000/webhdfs/v1/