Configuring SSL/TLS

You enable SSL in <DRILL_INSTALL_HOME>/conf/drill-override.conf. You can use several configuration options to customize SSL/TLS.

You must restart the Drillbit process on each node after you modify the configuration options, as shown:

$ maprcli node services -name drill-bits -action restart -nodes <node host names separated by a space>

The following sections describe how to enable and configure SSL:

Enabling SSL

If SSL is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drill servers using SSL. You enable SSL in the Drill startup configuration file, drill-override.conf, located in /opt/mapr/drill/drill-<version>/conf.

To enable SSL for Drill, set the drill.exec.security.user.encryption.ssl.enabled option in drill-override.conf to "true."

Configuring SSL

You can customize SSL on a Drillbit through the SSL configuration options. You can set the options from the command line (using Java system properties) in the drill-override.conf file or in the property file to which the Hadoop parameter hadoop.ssl.server.conf points (recommended).

NOTE

Specifying values in drill-override.conf can expose the security parameters to end users. Administrators should set these values in the Hadoop security file and restrict permissions on that file.

If a parameter is specified in multiple places, the value in the Hadoop configuration takes precedence over the Drill configuration, which takes precedence over the system property.

The Hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the Hadoop core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml, which contains the property names to configure SSL. Both the core-site.xml file and the ssl-server.xml file must exist in the Drill classpath. The Drill SSL configuration picks up the Hadoop SSL configuration.

NOTE

Since the Drillbit implementation is based on JSSE, several standard parameters that apply to JSSE also apply to the Drillbit. However, you typically do not need to configure JSSE parameters.

Following are the SSL configuration options with their descriptions and default values.

drill.exec.security.user.encryption.ssl.enabled: Hadoop Property Name: N/A; System Property Name: N/A; Description: Enable or disable TLS for Drill client - Drill Server communication. You must set this option in drill-override.conf.; Allowed Values: true or false; Drill Default: false
drill.exec.ssl.protocol: Hadoop Property Name: N/A; System Property Name: N/A; Description: The version of the TLS protocol to use.; Allowed Values: TLS, TLSV1, TLSv1.1, TLSv1.2, TLSv1.3; Drill Default: TLSv1.3 (recommended)
drill.exec.ssl.keyStoreType: Hadoop Property Name: ssl.server.keystore.type; System Property Name: javax.net.ssl.keyStoreType; Description: Format of the keystore file; Allowed Values: jks, jceks, pkcs12; Drill Default: jks
drill.exec.ssl.keyStorePath: Hadoop Property Name: ssl.server.keystore.location; System Property Name: javax.net.ssl.keyStore; Description: Location of the Java keystore file containing the Drillbit’s own certificate and private key. On Windows, the specified pathname must use forward slashes,/, in place of backslashes.; Allowed Values: Not Applicable; Drill Default: Not Applicable
drill.exec.ssl.keyStorePassword: Hadoop Property Name: ssl.server.keystore.password; System Property Name: javax.net.ssl.keyStorePassword; Description: Password to access the private key from the keystore file. This password is used twice: To unlock the keystore file (store password), and to decrypt the private key stored in the keystore (key password) unless a key password is specified separately.; Allowed Values: Not Applicable; Drill Default: Not Applicable
drill.exec.ssl.keyPassword: Hadoop Property Name: ssl.server.keystore.keypassword; System Property Name: Not Applicable; Description: Password to access the private key from the keystore file. May be different from the keystore password.; Allowed Values: Not Applicable; Drill Default: Not Applicable
drill.exec.ssl.trustStoreType: Hadoop Property Name: ssl.server.truststore.type; System Property Name: javax.net.ssl.trustStoreType; Description: Format of the truststore file; Allowed Values: jks, jceks, pkcs12; Drill Default: jks
drill.exec.ssl.trustStorePath: Hadoop Property Name: ssl.server.truststore.location; System Property Name: javax.net.ssl.trustStore; Description: Location of the Java keystore file containing the collection of CA certificates trusted by the Drill client. On Windows, the specified pathname must use forward slashes, /, in place of backslashes.
NOTE
If the trustStorePath is not provided, Drill ignores the trustStorePassword parameter and gets the default Java truststore instead. This operation causes issues if the Java truststore has a non-default password. The Java APIs used to load the default keystore assume the default password. The only way to use the default keystore with a non-default password is to specify both the path and the password to the keystore. To work around this issue, pass the default Java truststore to the trustStorePath parameter.; Allowed Values: Not Applicable; Drill Default: Not Applicable
drill.exec.ssl.trustStorePassword: Hadoop Property Name: ssl.server.truststore.password; System Property Name: javax.net.ssl.trustStorePassword; Description: Password to access the private key from the keystore file specified as the truststore.; Allowed Values: Not Applicable; Drill Default: Not Applicable
drill.exec.ssl.provider: Hadoop Property Name: Not Applicable; System Property Name: Not Applicable; Description: Changes the underlying implementation to the chosen value.; Allowed Values: OpenSSL or JDK; Drill Default: JDK
drill.exec.ssl.useHadoopConfig: Hadoop Property Name: Not Applicable; System Property Name: Not Applicable; Description: Use the setting in the Hadoop configuration file.
The Hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml which contains the property names to configure TLS.; Allowed Values: true or false; Drill Default: true

Configuring SSL on Drill on Yarn (DOY)

Starting with EEP 8.1.0, you can enable SSL on Drill on Yarn through SSL configuration options. In the drill-on-yarn.conf file, add the drill.yarn.http.ssl-enabled parameter. See Drill-on-YARN Limitations for additional information on related limitations.

drill.yarn.http.ssl-enabled: Hadoop Property Name: Not Applicable; System Property Name: Not Applicable; Description: Use the setting in the Hadoop configuration file with the required drill.yarn.ssl.useHadoopConfig parameter.; Allowed Values: true or false; Drill Default: false

drill.yarn.ssl.useHadoopConfig: Hadoop Property Name: Not Applicable; System Property Name: Not Applicable; Description: Use this setting in the Hadoop configuration file.
The Hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml which contains the property names for configuring the TLS.; Allowed Values: true or false; Drill Default: false

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0