Configuring SSL/TLS
Enable SSL in <DRILL_INSTALL_HOME>/conf/drill-override.conf
. You
can use several configuration options to customize SSL/TLS.
$ maprcli node services -name drill-bits -action restart -nodes <node host names separated by a space>
The following sections provide information and instructions for enabling and configuring SSL:
Enabling SSL
When SSL is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drill servers using SSL. Enable SSL in the Drill startup configuration file, drill-override.conf, located in /opt/mapr/drill/drill-<version>/conf.
To enable SSL for Drill, set the drill.exec.security.user.encryption.ssl.enabled
option in drill-override.conf to "true."
Configuring SSL
hadoop.ssl.server.conf
points
(recommended). If a parameter is specified in multiple places, the value in the Hadoop configuration takes precedence over the Drill configuration, which takes precedence over the system property.
hadoop.ssl.server.conf
parameter in the Hadoop core-site.xml file.
Typically, this parameter points to $HADOOP_CONF/ssl-server.xml, which contains the property
names to configure SSL. Both the core-site.xml file and the ssl-server.xml file must exist
in Drill’s classpath. Drill’s SSL configuration picks up the Hadoop SSL
configuration.Drill Property Name | Hadoop Property Name | System Property Name | Description | Allowed Values | Drill Default |
drill.exec.security.user.encryption.ssl.enabled | Enable or disable TLS for Drill client - Drill Server communication. You must set this option in drill-override.conf. | true,false | false | ||
drill.exec.ssl.protocol | The version of the TLS protocol to use |
TLS, TLSV1, TLSv1.1, TLSv1.2 |
TLSv1.2 (recommended) | ||
drill.exec.ssl.keyStoreType | ssl.server.keystore.type | javax.net.ssl.keyStoreType | Format of the keystore file |
jks, jceks, pkcs12 |
JKS |
drill.exec.ssl.keyStorePath | ssl.server.keystore.location | javax.net.ssl.keyStore | Location of the Java keystore file containing the Drillbit’s own certificate and private key. On Windows, the specified pathname must use forward slashes, /, in place of backslashes. | ||
drill.exec.ssl.keyStorePassword | ssl.server.keystore.password | javax.net.ssl.keyStorePassword | Password to access the private key from the keystore file. This password is used twice: To unlock the keystore file (store password), and to decrypt the private key stored in the keystore (key password) unless a key password is specified separately. | ||
drill.exec.ssl.keyPassword | ssl.server.keystore.keypassword | Password to access the private key from the keystore file. May be different from the keystore password. | |||
drill.exec.ssl.trustStoreType | ssl.server.truststore.type | javax.net.ssl.trustStoreType | Format of the truststore file |
jks, jceks, pkcs12 |
JKS |
drill.exec.ssl.trustStorePath | ssl.server.truststore.location | javax.net.ssl.trustStore | Location of the Java keystore file containing the collection of CA
certificates trusted by the Drill client. On Windows, the specified pathname must
use forward slashes, /, in place of backslashes. Note: If the trustStorePath is not
provided, Drill ignores the trustStorePassword parameter and gets the default
Java truststore instead, which causes issues if the Java truststore has a
non-default password. The Java APIs to load the default keystore assume the
default password. The only way to use the default keystore with a non-default
password is to specify both the path and the password to the keystore. To work
around this issue, pass the default Java truststore to the trustStorePath
parameter. |
||
drill.exec.ssl.trustStorePassword | ssl.server.truststore.password | javax.net.ssl.trustStorePassword | Password to access the private key from the keystore file specified as the truststore. | ||
drill.exec.ssl.provider | Changes the underlying implementation to the chosen value. | OPENSSL/JDK | default: JDK | ||
drill.exec.ssl.useHadoopConfig |
Use the setting in the hadoop configuration file. The hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml which contains the property names to configure TLS. |
true/false |
default:true |