Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Configuring AWS load balancer for Kerberized & SSL enabled Impala

Highlighted

Configuring AWS load balancer for Kerberized & SSL enabled Impala

Hi Community,

I'm working on adding load balancer in front of my Impala deamons. 

I will be using AWS ELB

As this is my first time I have few queries that are bothering me:

  1. When I create ELB which SSL certificate should I provide, the root CA certificate or the ones that cloudera manager creates while configuring AUTO_TLS, for example cm-auto-global_cacerts.pem? (My Cluster is already kerberized and TLS/SSL is enabled)
  2. Once the ELB is created, I will have to add the information to Impala service setting in CM and regenerate the Kerberos Credential. Will I be able to revert if something goes wrong in the process? I mean, if I remove the added configuration from Impala service setting in CM and restart, will it safely go back to working as before?

 

Thank you in advance.

3 REPLIES 3

Re: Configuring AWS load balancer for Kerberized & SSL enabled Impala

Guru
@SnehasishRSC ,

For 1. , what encryption method do you use to set LB for Impala?
https://www.cloudera.com/documentation/enterprise/5-14-x/topics/impala_proxy.html#concept_u3z_dwp_sg...

And are you using self-signed or CA signed certificate for your current TLS/SSL setup?

For 2. , yes you just need to remove the LB configuration for Impala in CM and then restart services, it should be back to previous configured state.

Cheers
Eric
Highlighted

Re: Configuring AWS load balancer for Kerberized & SSL enabled Impala

Hi @EricL,

 

Thank you for your reply.

We use Client/Server SSL encryption method with a CA signed certificate.

 

Best,

Snehasish

Highlighted

Re: Configuring AWS load balancer for Kerberized & SSL enabled Impala

Guru
Hi Snehasish,

For internal CA signed certificates, I would think you only need Root CA certificate to be installed on the client side, after you have your intermediate certificates imported into server side key store file.

Cheers
Eric
Don't have an account?
Coming from Hortonworks? Activate your account here