I'm trying to enable SSL/TLS for WebHDFS.
The cluster is a test, it's not kerberized and we don't need https for any other service so it's not enabled. CDH is 5.12.1
I went through this guide
Example 3. I'm using the guide for 5.9 because the one for 5.12 only has examples for certificates signed by a CA and I don't want to go through that process for a test cluster.
I created the the keystore and truststores:
- a jks keystore for each of the hosts (both NNs and all DNs, except an edge node) in the same location /opt/security/hadoop/cacert
- the keystore contains one privatekeyentry, alias is FQDN (so alias is different for each host) same password as keystore
- keystore owner is httpfs user
- keystore group is hadoop
- permisions are 0440
- the same truststore copied on all hosts in the same location /opt/security/hadoop/hdfs-truststore
- the truststore contains a self signed certificate (alias ca_certif)
- truststore contains the certificate of each host signed using the ca_certif (alias FQDN)
- truststore owner and group are the same as keystores, permissions are 0666
I checked the passwords in CM for truststore and keystore and they are ok
After restarting the hdfs service, checking with my browser, the https version of webhdfs cannot be reached.
Same URL, http works ok.
What am I'm missing or doing wrong?