Configuring TLS/SSL for HBase

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin:
  • Before enabling TLS/SSL, ensure that keystores containing certificates bound to the appropriate domain names will need to be accessible on all hosts on which at least one HBase daemon role is running.
  • Keystores for HBase must be owned by the hbase group, and have permissions 0440 (that is, readable by owner and group).
  • You must specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the HBase service run. Therefore, the paths you choose must be valid on all hosts.
  • Cloudera Manager supports the TLS/SSL configuration for HBase at the service level. Ensure you specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the service in question run. Therefore, the paths you choose must be valid on all hosts.

    An implication of this is that the keystore file names for a given service must be the same on all hosts. If, for example, you have obtained separate certificates for HBase daemons on hosts node1.example.com and node2.example.com, you might have chosen to store these certificates in files called hbase-node1.keystore and hbase-node2.keystore (respectively). When deploying these keystores, you must give them both the same name on the target host — for example, hbase.keystore.

Configuring TLS/SSL for HBase Web UIs

The steps for configuring and enabling TLS/SSL for HBase are similar to those for HDFS, YARN and MapReduce:
  1. Go to the HBase service
  2. Click the Configuration tab.
  3. Select Scope > HBASE (Service-Wide).
  4. Select Category > Security.
  5. In the Search field, type TLS/SSL to show the HBase TLS/SSL properties.
  6. Edit the following TLS/SSL properties according to your cluster configuration:
    HBase TLS/SSL Properties
    Property Description
    HBase TLS/SSL Server JKS Keystore File Location Path to the keystore file containing the server certificate and private key used for encrypted web UIs.
    HBase TLS/SSL Server JKS Keystore File Password Password for the server keystore file used for encrypted web UIs.
    HBase TLS/SSL Server JKS Keystore Key Password Password that protects the private key contained in the server keystore used for encrypted web UIs.
  7. Check the Web UI TLS/SSL Encryption Enabled property.
    Web UI TLS/SSL Encryption Enabled Enable TLS/SSL encryption for the HBase Master, RegionServer, Thrift Server, and REST Server web UIs.
  8. Click Save Changes to commit the changes.
  9. Restart the HBase service.

Configuring TLS/SSL for HBase REST Server

  1. Go to the HBase service
  2. Click the Configuration tab.
  3. Select Scope > HBase REST Server.
  4. Select Category > Security.
  5. In the Search field, type TLS/SSL REST to show the HBase REST TLS/SSL properties.
  6. Edit the following TLS/SSL properties according to your cluster configuration:
    Property Description
    Enable TLS/SSL for HBase REST Server Encrypt communication between clients and HBase REST Server using Transport Layer Security (TLS).
    HBase REST Server TLS/SSL Server JKS Keystore File Location The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when HBase REST Server is acting as a TLS/SSL server. The keystore must be in JKS format.file.
    HBase REST Server TLS/SSL Server JKS Keystore File Password The password for the HBase REST Server JKS keystore file.
    HBase REST Server TLS/SSL Server JKS Keystore Key Password The password that protects the private key contained in the JKS keystore used when HBase REST Server is acting as a TLS/SSL server.
  7. Click Save Changes to commit the changes.
  8. Restart the HBase service.

Configuring TLS/SSL for HBase Thrift Server

  1. Go to the HBase service
  2. Click the Configuration tab.
  3. Select Scope > HBase Thrift Server.
  4. Select Category > Security.
  5. In the Search field, type TLS/SSL Thrift to show the HBase Thrift TLS/SSL properties.
  6. Edit the following TLS/SSL properties according to your cluster configuration:
    Property Description
    Enable TLS/SSL for HBase Thrift Server over HTTP Encrypt communication between clients and HBase Thrift Server over HTTP using Transport Layer Security (TLS).
    HBase Thrift Server over HTTP TLS/SSL Server JKS Keystore File Location The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when HBase Thrift Server over HTTP is acting as a TLS/SSL server. The keystore must be in JKS format.
    HBase Thrift Server over HTTP TLS/SSL Server JKS Keystore File Password The password for the HBase Thrift Server JKS keystore file.
    HBase Thrift Server over HTTP TLS/SSL Server JKS Keystore Key Password The password that protects the private key contained in the JKS keystore used when HBase Thrift Server over HTTP is acting as a TLS/SSL server.
  7. Click Save Changes to commit the changes.
  8. Restart the HBase service.