Posts: 6
Registered: ‎01-23-2017

Enable SSL TLS for WebHdfs

[ Edited ]



I'm trying to enable SSL/TLS for WebHDFS.

The cluster is a test, it's not kerberized and we don't need https for any other service so it's not enabled. CDH is 5.12.1


I went through this guide

and this:

Example 3. I'm using the guide for 5.9 because the one for 5.12 only has examples for certificates signed by a CA and I don't want to go through that process for a test cluster.


I created the the keystore and truststores:

- a jks keystore for each of the hosts (both NNs and all DNs, except an edge node) in the same location /opt/security/hadoop/cacert

- the keystore contains one privatekeyentry, alias is FQDN (so alias is different for each host) same password as keystore

- keystore owner is httpfs user

- keystore group is hadoop

- permisions are 0440

- the same truststore copied on all hosts in the same location /opt/security/hadoop/hdfs-truststore

- the truststore contains a self signed certificate (alias ca_certif)

- truststore contains the certificate of each host signed using the ca_certif (alias FQDN)

- truststore owner and group are the same as keystores, permissions are 0666


I checked the passwords in CM for truststore and keystore and they are ok 

After restarting the hdfs service, checking with my browser, the https version of webhdfs cannot be reached.

Same URL, http works ok.

What am I'm missing or doing wrong?


Thank you 

Posts: 1,608
Kudos: 302
Solutions: 245
Registered: ‎07-31-2013

Re: Enable SSL TLS for WebHdfs

HTTPFS instructions apply only for the HTTPFS role.

To recap, WebHDFS is a REST specification. NameNode and DataNode Web Servers serve this REST spec, as does a HTTPFS standalone daemon.

Which one are you looking to protect with TLS - the NameNode/DataNode Web ports, or a standalone HTTPFS server?

If the former, follow just after preparing and deploying your keystore/truststore to all nodes.