Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Configuring AWS load balancer for Kerberized & SSL enabled Impala

Highlighted

Configuring AWS load balancer for Kerberized & SSL enabled Impala

Hi Community,

I'm working on adding load balancer in front of my Impala deamons. 

I will be using AWS ELB

As this is my first time I have few queries that are bothering me:

  1. When I create ELB which SSL certificate should I provide, the root CA certificate or the ones that cloudera manager creates while configuring AUTO_TLS, for example cm-auto-global_cacerts.pem? (My Cluster is already kerberized and TLS/SSL is enabled)
  2. Once the ELB is created, I will have to add the information to Impala service setting in CM and regenerate the Kerberos Credential. Will I be able to revert if something goes wrong in the process? I mean, if I remove the added configuration from Impala service setting in CM and restart, will it safely go back to working as before?

 

Thank you in advance.

3 REPLIES 3

Re: Configuring AWS load balancer for Kerberized & SSL enabled Impala

Guru
@SnehasishRSC ,

For 1. , what encryption method do you use to set LB for Impala?
https://www.cloudera.com/documentation/enterprise/5-14-x/topics/impala_proxy.html#concept_u3z_dwp_sg...

And are you using self-signed or CA signed certificate for your current TLS/SSL setup?

For 2. , yes you just need to remove the LB configuration for Impala in CM and then restart services, it should be back to previous configured state.

Cheers
Eric

Re: Configuring AWS load balancer for Kerberized & SSL enabled Impala

Hi @EricL,

 

Thank you for your reply.

We use Client/Server SSL encryption method with a CA signed certificate.

 

Best,

Snehasish

Re: Configuring AWS load balancer for Kerberized & SSL enabled Impala

Guru
Hi Snehasish,

For internal CA signed certificates, I would think you only need Root CA certificate to be installed on the client side, after you have your intermediate certificates imported into server side key store file.

Cheers
Eric