Support Questions
Find answers, ask questions, and share your expertise

Impala + SSL behind loadbalancer - certificate CN?

Impala + SSL behind loadbalancer - certificate CN?

New Contributor

If I want to put an SSL-enabled Impala behind a load balancer, should I use one certificate with CN=loadbalancer.example.com that I install on all Impala hosts, or one certificate per host with a subjectAltName, or some other variant? 

 

https://issues.cloudera.org/browse/IMPALA-3159 claims impala-shell doesn't work with wildcard certs, so I guess that's not really an option.

 

Thanks,

\EF

2 REPLIES 2

Re: Impala + SSL behind loadbalancer - certificate CN?

Master Guru
Until IMPALA-3159 arrives to cover the Python based shell [1], the best bet is to use the same (LB) certificate across all hosts instead of SAN extensions.

[1] - Done via https://gerrit.cloudera.org/#/c/2907/

Re: Impala + SSL behind loadbalancer - certificate CN?

Cloudera Employee

Just FYI, IMPALA-3159 is in now. So this should work on the latest clone of Impala. Alternatively, you could cherry pick only this patch and run it without rebuilding (as it's a Python only change).

 

https://github.com/apache/incubator-impala/commit/45ff0f9e674f54b35afb2b5eced0d6ec346890d6

https://gerrit.cloudera.org/#/c/3765/