Hi @naveen sangam -- SSL config is tricky at first. Here are some pointers that will hopefully get you on the path:
The keytool -genkey command above is creating a self-signed certificate. Another option is to follow your company's process to create a company signed certificate, usually thru your IT department, but that can take time. Self signed are good for non-prod environment, but I recommend company signed SSL cert for prod environments.
Once you have a valid certificate, it must be installed on the server. That's the Hive configuration steps you listed above, but I think you have a mistake. Hive should path to a keystore file (not a truststore) like "hiveserver2.jks". You can use the "keytool -import" command to create the keystore file if needed.
Think of it this way: a server secures communication using a certificate that's saved in a keystore. The client trusts that certificate using what is saved in the client's truststore. Keystore = SSL server, truststore = SSL client. In our case this will be Hiveserver 2 (server / keystore) and beeline (client / truststore).
Please note: the files are all considered "jks" or "java keystore" files, but they have different uses and different entries contained within. So there are keystore files that are used as keystores, and there are keystore files used as truststores. Whoever named all this should be taken out back and shot.
To check if your keystore is properly setup, run the command "keytool -list -v -keystore <keystore-filename.jks>" and enter password. Look for an entry for your certificate, and the entry type should read "PrivateKeyEntry" with valid expiration date.
Now the Hive client (like beeline) must trust that server certificate. You will need to import the self-signed certificate, or your company's CA certificate (depending on your certificate type) into a truststore, like "cacerts".
To check if your truststore is properly setup, run the command "keytool -list -v -keystore <truststore-filename.jks>" and enter password. Look for an entry for your certificate, and the entry type should read "TrustedCertEntry" with valid expiration date.
Java has a default truststore file that it uses, called "cacerts", and this is located within your java installation directory. You can generally sniff it out by running "locate cacerts". If you import into this location, beeline should find the CA trusted cert entry with no problem. I believe the default location is /etc/pki/java/cacerts, and default password is "changeit".
However, you can also create another truststore file and save it anywhere your beeline user can read the file. Since this isn't the truststore that's built into java, you have to tell beeline where this file lives by adding the path and password to the truststore to your connection string:
jdbc:hive2://<host>:<port>/<database>;ssl=true;sslTrustStore=<path-to-truststore>;trustStorePassword=<password>
Keytool is your best friend through all of this, so get familiar with it. Here is a link to some of the most common keytool commands: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html Hope this helps -- Eddie
... View more
