Support Questions
Find answers, ask questions, and share your expertise

SSL configuration for HDP components

Hi to all!

I'm configuring a little HDP cluster composed by an edge node in a front end DMZ a master node and two slave nodes in a back end secure network; all the configuration is managed via an Ambari Server installed on the edge node in the front end DMZ.

Security policies block all http connection even among trusted server so I have to secure on ssl and https all comunications among server and services.

I'm following documentation and some community resources, but I have some doubts.

1) Here docs say

Secondary NameNode is not supported with the HTTPS port. It can only be accessed via http://<SNN>:50090

and for me that is a problem because I can't ask to open the port between front end node (Ambari Server) and back end node (Secondary NameNode) on http protocol so my Ambari server can't start the service. I don't need to have a secondary name node because I have a NameNode server full back up available and I would to disable the secondary name node. My question; it is possibile from Ambari Server (or editing config file on file system) to disable the secondary name node server?

2) I'm starting to configure SSL and https comunications for the services I need to start on my cluster.

Here docs says

From the service user account associated with the component (such as hive, hbase, oozie, or hdfs, shown below as<service_user>), generate the host key

su -l <service_user> -C "keytool -keystore <client-keystore> -genkey -alias <host>"

what I understood is that I need to obtain a certificate for every service on every master node and to install and configure it in the Hadoop SSL Keystore Factory. Here are my questions...

- Do I need to install and configure certificates just on service server? e.g for hdfs service do I need to configure certificates just on the node where NameNode service runs on?

- Can I use a host certificate (independent from the service) if more than a service run on the same host? e.g. NameNode and ResourceManager run on the same host

I'm sorry for post length, but it's my first time configuring a cluster in secure environment.

Thanks in advance for the help!


Re: SSL configuration for HDP components

I replied to my first question.

I disabled Secondary NameNode deleting the component via API

curl -u admin:admin -H "X-Requested-By: ambari" -X DELETE https://<ambari_server_host>:8443/api/v1/clusters/<cluster_name>/hosts/<secondary_nn_host>/host_comp...

before calling the API it is mandatory to stop ambari agent on the host