Cloudera Enterprise 6.0 Beta | Other versions

Configuring TLS/SSL for Oozie

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin

  • Keystores for Oozie must be readable by the oozie user. This can be a copy of the Hadoop services' keystore with permissions set to 0440 and owned by the oozie group.
  • Truststores must have permissions set to 0444, which means that all users can read them.
  • Specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the Oozie service run so the paths you choose must be valid on all hosts.
  • If there is a DataNode and an Oozie server running on the same host, they can use the same certificate.
For more information on obtaining signed certificates and creating keystores, see Data in Transit Encryption (TLS/SSL). You can also view the upstream documentation located here.
  Important:
  • This configuration process can be completed using either Cloudera Manager or the command-line instructions.
  • This information applies specifically to CDH 6.0 Beta 1. If you are using a different version of CDH, see the documentation for that version located here.

Using Cloudera Manager

The steps for configuring and enabling Hadoop TLS/SSL for Oozie are as follows:
  1. Open the Cloudera Manager Admin Console and go to the Oozie service.
  2. Click the Configuration tab.
  3. In the Search field, type TLS/SSL to show the Oozie TLS/SSL properties.
  4. Edit the following TLS/SSL properties according to your cluster configuration.
    Table 1. Oozie TLS/SSL Properties
    Property Description
    Enable TLS/SSL for Oozie Check this field to enable TLS/SSL for Oozie.
    Oozie TLS/SSL Server JKS Keystore File Location Location of the keystore file on the local file system.
    Oozie TLS/SSL Server JKS Keystore File Password Password for the keystore.
  5. Click Save Changes.
  6. Restart the Oozie service.

Using the Command Line

To configure the Oozie server to use TLS/SSL:
  1. Stop Oozie by running 
    sudo /sbin/service oozie stop

  2. To enable TLS/SSL, set the following properties in the oozie-site.xml configuration file:

    Property Name Valid Values Description
    oozie.https.enabled true | false Controls whether SSL encryption is enabled.
    oozie.https.keystore.file

    Absolute path to the keystore file.

    For example:

    /etc/cdep-ssl-conf/CA_STANDARD/oozie-keystore.jks
    		Directory location of your keystore file that is generated from your certificate using the Java keytool program. See Oracle documentation.
    oozie.https.keystore.pass keystore_password Password created for the keystore file when you generated it.
    oozie.https.truststore.file

    Absolute path to the truststore file.

    For example:

    /etc/cdep-ssl-conf/CA_STANDARD/truststore.jks
    		Directory location of your truststore file that is generated with the keytool program. Truststore files are only used with self-signed certificates.
    oozie.https.truststore.pass truststore_password Password created for the truststore file when you generated it. Truststore files are only used with self-signed certificates.

    For example, if you are using a self-signed certificate, set these properties as follows in the oozie-site.xml:

    <property>
     <name>oozie.https.enabled</name>
     <value>true</value>
     <description>Controls whether SSL encryption is enabled.
     </description>
</property>
<property>
     <name>oozie.https.keystore.file</name>
     <value>/etc/cdep-ssl-conf/CA_STANDARD/oozie-keystore.jks</value>
     <description>Path to the keystore file.</description>
</property>
<property>
     <name>oozie.https.keystore.pass</name>
     <value>sample_password_do_not_use</value>
     <description>Password for keystore file.</description>
</property>
<property>
     <name>oozie.https.truststore.file</name>
     <value>/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks</value>
     <description>Path to the truststore file.</description>
</property>
<property>
     <name>oozie.https.truststore.pass</name>
     <value>sample_password_do_not_use</value>
     <description>Password for truststore file.</description>
</property>
  3. Start Oozie by running the following command: 
    sudo /sbin/service oozie start

Connect to the Oozie Web UI Using TLS/SSL (HTTPS)

Use https://oozie.server.hostname:11443/oozie in the address bar of your browser. However, most browsers automatically redirect you if you use http://oozie.server.hostname:11000/oozie.

Connect to the Oozie Server with the Oozie Client Using TLS/SSL (HTTPS)

When connecting to the Oozie server with the Oozie client over TLS/SSL, Java does not redirect from HTTP to HTTPS, so you must use the HTTPS address (https://oozie.server.hostname:11443/oozie). If you are using a self-signed certificate, you must make it available to the Oozie client by doing the following:

  • Install the self-signed certificate (truststore) on the client host.

  • If you are using a Java- based program, pass -Djavax.net.ssl.trustStore to the JVM. To do this for the Oozie client, run the following command in a terminal window:

    $ export OOZIE_CLIENT_OPTS='-Djavax.net.ssl.trustStore=/path/to/oozie.truststore'

See the upstream documentation here for details.

Additional Considerations when Configuring TLS/SSL for Oozie HA

To enable clients to connect to Oozie servers (the target servers) through the load balancer using TLS/SSL, configure the load balancer for TLS/SSL pass-through. This means that the load balancer does not perform encryption or decryption but instead passes traffic from clients and servers to the appropriate target host. See the documentation for your load balancer for details.

Page generated March 7, 2018.