Enabling SSL Encryption Between Hue and HttpFS

As of HttpFS 1.0-1504 and Hue 3.7-1505, you can enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure MapR cluster that is version 4.0.2 or greater.Complete the following steps to enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure cluster:

  1. Start Hue:
    maprcli node services -name hue -action start -nodes <node name>

    When you start or restart Hue on a secure cluster, the secure.sh script ($HUE_HOME/bin/secure.sh) generates the following files in $HUE_HOME:

    • hue_private_keystore.pem
    • keystore.pem
    • keystore.p12
    • cert.pem

    The secure.sh script runs with a set of default parameters, which should not be changed. If generated keystore files already exist in that location, the script does not regenerate the files.

  2. Add the following configuration in the hue.ini file under the [[hdfs_clusters]] [[[default]]] section:
    • Set security_enabled=True
    • Set ssl=True
    • Set ssl_cert=$HUE_HOME/cert.pem
    • Set ssl_key=$HUE_HOME/hue_private_keystore.pem
    • Set ca_verify=False

    The changes are summarized in the following example hue.ini file, which you can use as a template:

    [[hdfs_clusters]]
    # HA support by using HttpFs
      [[[default]]]
         ....
          # Change this if your HDFS cluster is Kerberos-secured
          security_enabled=True
     
          # SSL certificate based authentication
           ssl=True
           ssl_cert=$HUE_HOME/cert.pem
           ssl_key=$HUE_HOME/hue_private_keystore.pem
     
          # If certificate verified against certificate authority
          ca_verify=False
  3. Configure HttpFS to use SSL or verify that HttpFS is configured to use SSL. For details, see SSL Security for HttpFS.
  4. Restart Hue.
    maprcli node services -name hue -action start -nodes <ip_address>
  5. To test that SSL encryption is enabled for HttpFS, run the following command:
    curl ­k ­­cert /opt/mapr/hue/hue­3.7.0/cert.pem ­­key /opt/mapr/hue/hue­-3.7.0/hue_private_keystore.pem "https://localhost:14000/webhdfs/v1?op=GETFILESTATUS&user.name=mapr"