Configuring SSL/TLS

Enable SSL in <DRILL_INSTALL_HOME>/conf/drill-override.conf. You can use several configuration options to customize SSL/TLS.

You must restart the Drillbit process on each node after you modify the configuration options, as shown:

$ maprcli node services -name drill-bits -action restart -nodes <node host names separated by a space>

The following sections provide information and instructions for enabling and configuring SSL:

Enabling SSL

When SSL is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drill servers using SSL. Enable SSL in the Drill startup configuration file, drill-override.conf, located in /opt/mapr/drill/drill-<version>/conf.

To enable SSL for Drill, set the drill.exec.security.user.encryption.ssl.enabledoption in drill-override.conf to "true."

Configuring SSL

You can customize SSL on a Drillbit through the SSL configuration options. You can set the options from the command-line (using Java system properties), in the drill-override.conf file, or in the property file to which the Hadoop parameter

hadoop.ssl.server.conf
          points

(recommended).

Note: Specifying values in drill-override.conf can expose the security parameters to end users. Administrators should set these values in the Hadoop security file and restrict permissions on that file.

If a parameter is specified in multiple places, the value in the Hadoop configuration takes precedence over the Drill configuration, which takes precedence over the system property.

The Hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the Hadoop core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml, which contains the property names to configure SSL. Both the core-site.xml file and the ssl-server.xml file must exist in Drill’s classpath. Drill’s SSL configuration picks up the Hadoop SSL configuration.

Note: Since the Drillbit implementation is based on JSSE, several standard parameters that apply to JSSE will also apply to the Drillbit, however you typically do not need to configure JSSE parameters.

The following table lists the SSL configuration options with their descriptions and default values:

Drill Property Name	Hadoop Property Name	System Property Name	Description	Allowed Values	Drill Default
drill.exec.security.user.encryption.ssl.enabled			Enable or disable TLS for Drill client - Drill Server communication. You must set this option in drill-override.conf.	true,false	false
drill.exec.ssl.protocol			The version of the TLS protocol to use	TLS, TLSV1, TLSv1.1, TLSv1.2	TLSv1.2 (recommended)
drill.exec.ssl.keyStoreType	ssl.server.keystore.type	javax.net.ssl.keyStoreType	Format of the keystore file	jks, jceks, pkcs12	JKS
drill.exec.ssl.keyStorePath	ssl.server.keystore.location	javax.net.ssl.keyStore	Location of the Java keystore file containing the Drillbit’s own certificate and private key. On Windows, the specified pathname must use forward slashes, /, in place of backslashes.
drill.exec.ssl.keyStorePassword	ssl.server.keystore.password	javax.net.ssl.keyStorePassword	Password to access the private key from the keystore file. This password is used twice: To unlock the keystore file (store password), and to decrypt the private key stored in the keystore (key password) unless a key password is specified separately.
drill.exec.ssl.keyPassword	ssl.server.keystore.keypassword		Password to access the private key from the keystore file. May be different from the keystore password.
drill.exec.ssl.trustStoreType	ssl.server.truststore.type	javax.net.ssl.trustStoreType	Format of the truststore file	jks, jceks, pkcs12	JKS
drill.exec.ssl.trustStorePath	ssl.server.truststore.location	javax.net.ssl.trustStore	Location of the Java keystore file containing the collection of CA certificates trusted by the Drill client. On Windows, the specified pathname must use forward slashes, /, in place of backslashes. Note: If the trustStorePath is not provided, Drill ignores the trustStorePassword parameter and gets the default Java truststore instead, which causes issues if the Java truststore has a non-default password. The Java APIs to load the default keystore assume the default password. The only way to use the default keystore with a non-default password is to specify both the path and the password to the keystore. To work around this issue, pass the default Java truststore to the trustStorePath parameter.
drill.exec.ssl.trustStorePassword	ssl.server.truststore.password	javax.net.ssl.trustStorePassword	Password to access the private key from the keystore file specified as the truststore.
drill.exec.ssl.provider			Changes the underlying implementation to the chosen value.	OPENSSL/JDK	default: JDK
drill.exec.ssl.useHadoopConfig			Use the setting in the hadoop configuration file. The hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml which contains the property names to configure TLS.	true/false	default:true