Enabling SSL Security for HttpFS

You can enable SSL security for HttpFS using an ssl_keystore and ssl_truststore. These are generated automatically for a secure cluster in /opt/mapr/conf/. When using SSL on nonsecure clusters, you must manually generate a keystore and truststore.

About this task

To enable SSL security for HttpFS with credential provider, use the following steps:

Procedure

  1. Enable SSL in etc/hadoop/httpfs-site.xml configuration file:
    <property>
        <name>httpfs.ssl.enabled</name>
        <value>true</value>
        <description>
          Whether SSL is enabled. Default is false, i.e. disabled.
        </description>
      </property>
    
  2. Use the credential provider to create secure SSL passwords:
    hadoop credential create ssl.server.keystore.password -value 123 \
      -provider localjceks://file/home/mapr/httpfs.jceks
    
    hadoop credential create ssl.server.keystore.keypassword -value 123 \
      -provider localjceks://file/home/mapr/httpfs_keypassword.jceks
    
  3. Run the Java keytool command to create an SSL certificate for the HttpFS server:
    keytool -genkey -alias jetty -keyalg RSA
    You will be prompted to answer a series of questions to create a keystore file named .keystore.
    • You must enter the same password for “keystore password” as the value of the property ssl.server.keystore.password set while creating secure SSL passwords.
    • You must answer “What is your first and last name?” (i.e. “CN”) with the host name of the machine where the HttpFS Server will be running.

    The .keystore file will be stored in the HttpFS user home directory.

  4. Configure the etc/hadoop/ssl-server.xml file to set the SSL keystore location:
    <property>
        <name>ssl.server.keystore.location</name>
        <value>/home/mapr/.keystore</value>
        <description>Keystore to be used. Must be specified.
        </description>
    </property>
    
  5. Configure the /opt/mapr/hadoop/hadoop-3.3.4/etc/hadoop/httpfs-site.xml file with the following property to set credential provider path and enable the credential provider:
    <property>
      <name>hadoop.security.credential.provider.path</name>
      <value>localjceks://file/home/lmccay/aws.jceks</value>
      <description>Path to interrogate for protected credentials.</description>
    </property>
    
  6. Restart the HttpFS server:
    maprcli node services -action restart -name httpfs -nodes <node>