MapR 5.0 Documentation : Enable SSL Encryption Between Hue and Hive

The following procedure explains how to enable SSL encryption between Hue and Hive. 

  1. Start Hue:

    maprcli node services -name hue -action start -nodes <node name>

    When you start or restart Hue on a secure cluster, keys are generated at $HUE_HOME. If generated keystore files already exist in that location, the script does nothing. The script is located here: $HUE_HOME/bin/secure.sh, and it runs with a set of default parameters, which should not be changed. 
      

  2. On an unsecure cluster: Complete the following steps to generate the keys:

    1. Generate a keystore (keystore.jks) with a private key.

      keytool -genkeypair -alias certificatekey -keyalg RSA -validity 7 -keystore keystore.jks
    2. Generate a certificate from the keystore.

       

      keytool -export -alias certificatekey -keystore keystore.jks -rfc -file cert.pem
    3. Import the keystore from JKS to PKCS12. For example:

       

      keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass mapr123 -deststorepass mapr123 -srcalias certificatekey -destalias certificatekey -srckeypass mapr123 -destkeypass mapr123 -noprompt
    4. Convert PKCS12 to PEM using OpenSSL. For example:

      openssl pkcs12 -in keystore.p12 -out keystore.pem -passin pass:mapr123 -passout pass:mapr123
    5. If you do not want to enter a password while connecting to Hive, you can run the following command:

       openssl rsa -in keystore.pem -out hue_private_keystore.pem
  3. Update the SSL section of the hue.ini.

    • For Hue 3.7: In the [[ssl]] section of the hue.ini file , add the following SSL configuration information to the hue.ini file (under the beeswax section):

      [[ssl]]
      # SSL communication enabled for this server.
      enabled=true
      # Path to certificate authority certificates.
      ## cacerts=/etc/hue/cacerts.pem
      # Path to the private key file.
      key=/opt/mapr/hue/hue-<version>/hue_private_keystore.pem
      # Path to the public certificate file.
      cert=/opt/mapr/hue/hue-<version>/cert.pem
      # Choose whether Hue should validate certificates received from the server.
      validate=false
    • For Hue 3.8 and above: In the [[ssl]] section of the hue.ini file (under the beeswax section), set validate to false:

      [[ssl]]
      # SSL communication enabled for this server.
      # Path to certificate authority certificates.
      ## cacerts=/etc/hue/cacerts.pem
      # Choose whether Hue should validate certificates received from the server.
      validate=false
  4. Edit the hive-site.xml.

    • On an unsecure cluster: Make sure that no custom authentication mechanism is turned on and configure the hive-site.xml with the following properties:

      <property>
        <name>hive.server2.use.SSL</name>
          <value>true</value>
            <description>enable/disable SSL communication</description>
            </property>
      <property>
        <name>hive.server2.keystore.path</name>
          <value>/opt/mapr/conf/ssl_keystore</value>
            <description>path to keystore file</description>
            </property>
      <property>
        <name>hive.server2.keystore.password</name>
          <value>mapr123</value>
            <description>keystore password</description>
            </property>
    • On a secure cluster: Make sure that no custom authentication mechanism is turned on and configure the hive-site.xml with the following properties:

      <name>hive.server2.thrift.sasl.qop</name>
      <value>auth-conf</value>
      <description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description>
      </property>
  5. Restart Hue, Hive Metastore, and HiveServer2.

    • To restart Hue:

      maprcli node services -name hue -action start -nodes <hostname>
    • To restart Hive Metastore:

      maprcli node services -name hivemeta -action start -nodes <space delimited list of nodes>
    • To restart HiveServer2:

      maprcli node services -name hs2 -action start -nodes <space delimited list of nodes>