Enable SSL Encryption Between Hue and Hive

The following procedure explains how to enable SSL encryption between Hue and Hive.
  1. Start Hue:
    maprcli node services -name hue -action start -nodes <node name>
    When you start or restart Hue on a secure cluster, keys are generated at $HUE_HOME. If generated keystore files already exist in that location, the script does nothing. The script is located here: $HUE_HOME/bin/secure.sh, and it runs with a set of default parameters, which should not be changed.
  2. On an unsecure cluster, complete the following steps to generate the keys:
    1. Generate a keystore (keystore.jks) with a private key.
      keytool -genkeypair -alias certificatekey -keyalg RSA -validity 7 -keystore keystore.jks
    2. Generate a certificate from the keystore.
      keytool -export -alias certificatekey -keystore keystore.jks -rfc -file cert.pem
    3. Import the keystore from JKS to PKCS12. For example:
      keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass <ssl-keystore-password> -deststorepass <ssl-keystore-password> -srcalias certificatekey -destalias certificatekey -srckeypass <ssl-keystore-password> -destkeypass <ssl-keystore-password> -noprompt
    4. Convert PKCS12 to PEM using OpenSSL. For example:
      openssl pkcs12 -in keystore.p12 -out keystore.pem -passin pass:<ssl-keystore-password> -passout pass:<ssl-keystore-password>
    5. Strip the pass phrase so Python doesn't prompt for password while connecting to Hive. For example:
      openssl rsa -in keystore.pem -out hue_private_keystore.pem
  3. In the [[ssl]] section of the hue.ini file (under the beeswax section), set validate to true.
    [[ssl]]
    # SSL communication enabled for this server.
    # Path to certificate authority certificates.
    ## cacerts=/path/cert.pem
    # Choose whether Hue should validate certificates received from the server.
    validate=true
  4. Edit the hive-site.xml.
    • On a non-secure cluster: Make sure that no custom authentication mechanism is turned on and configure the hive-site.xml with the following properties:
      <property>
        <name>hive.server2.use.SSL</name>
          <value>true</value>
            <description>enable/disable SSL communication</description>
            </property>
      <property>
        <name>hive.server2.keystore.path</name>
          <value>/opt/mapr/conf/ssl_keystore</value>
            <description>path to keystore file</description>
            </property>
      <property>
        <name>hive.server2.keystore.password</name>
          <value><ssl-keystore-password></value>
            <description>keystore password</description>
            </property>
    • On a secure cluster: Make sure that no custom authentication mechanism is turned on and configure the hive-site.xml with the following properties:
      <name>hive.server2.thrift.sasl.qop</name>
      <value>auth-conf</value>
      <description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description>
      </property>
  5. Restart Hue, Hive Metastore, and HiveServer2.
    To restart Hue
    maprcli node services -name hue -action start -nodes <hostname>
    To restart Hive Metastore
    maprcli node services -name hivemeta -action start -nodes <space delimited list of nodes>
    To restart HiveServer2
    maprcli node services -name hs2 -action start -nodes <space delimited list of nodes>