Configuring TLS/SSL for Flume Thrift Source and Sink

This topic describes how to enable TLS/SSL communication between Flume's Thrift source and sink.

The following tables list the properties that must be configured to enable TLS/SSL communication between Flume's Thrift source and sink instances.

Thrift Source TLS/SSL Properties
Property Description
ssl Set to true to enable TLS/SSL encryption.
keystore Path to a Java keystore file. Required for TLS/SSL.
keystore-password Password for the Java keystore. Required for TLS/SSL.
keystore-type The type of the Java keystore. This can be JKS or PKCS12.
Thrift Sink TLS/SSL Properties
Property Description
ssl Set to true to enable TLS/SSL for this ThriftSink.

When configuring TLS/SSL, you can optionally set the following truststore, truststore-password and truststore-type properties. If a custom truststore is not specified, Flume will use the default Java JSSE truststore (typically jssecacerts or cacerts in the Oracle JRE) to verify the remote Thrift Source's TLS/SSL credentials.

truststore (Optional) The path to a custom Java truststore file.
truststore-password (Optional) The password for the specified truststore.
truststore-type (Optional) The type of the Java truststore. This can be JKS or any other supported Java truststore type.
Make sure you are configuring TLS/SSL for each Thrift source and sink instance. For example, to the existing flume.conf file, for agent a1, source r1, and sink k1, you would add the following properties:
# TLS/SSL properties for Thrift source s1 
a1.sources.r1.ssl=true
a1.sources.r1.keystore=<path/to/keystore>
a1.sources.r1.keystore-password=<keystore password>
a1.sources.r1.keystore-type=<keystore type>

# TLS/SSL properties for Thrift sink k1 
a1.sinks.k1.ssl=true
a1.sinks.k1.truststore=<path/to/truststore>
a1.sinks.k1.truststore-password=<truststore password>
a1.sinks.k1.truststore-type=<truststore type>

Configure these sets of properties for more instances of the Thrift source and sink as required. You can use either Cloudera Manager or the command line to edit the flume.conf file.

Using Cloudera Manager

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

  1. Open the Cloudera Manager Admin Console and go to the Flume service.
  2. Click the Configuration tab.
  3. Select Scope > Agent.
  4. Select Category > Main.
  5. Edit the Configuration File property and add the Thrift source and sink properties for each Thrift source and sink instance as described above to the configuration file.
  6. Enter a Reason for change, and then click Save Changes to commit the changes.
  7. Restart the Flume service.