This is the documentation for Cloudera Enterprise 5.8.x. Documentation for other versions is available at Cloudera Documentation.

Configuring TLS/SSL for Oozie

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin

  • Keystores for Oozie must be readable by the oozie user. This could be a copy of the Hadoop services' keystore with permissions 0440 and owned by the oozie group.
  • Truststores must have permissions 0444 (that is, readable by all).
  • Specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the Oozie service run. Therefore, the paths you choose must be valid on all hosts.
  • In case there is a DataNode and an Oozie server running on the same host, they can use the same certificate.
For more information on obtaining signed certificates and creating keystores, see TLS/SSL Certificates Overview. You can also view the upstream documentation located here.
  Important:
  • You can use either Cloudera Manager or the following command-line instructions to complete this configuration.
  • This information applies specifically to CDH 5.8.x. If you use an earlier version of CDH, see the documentation for that version located at Cloudera Documentation.

Using Cloudera Manager

The steps for configuring and enabling Hadoop TLS/SSL for Oozie are as follows:
  1. Open the Cloudera Manager Admin Console and go to the Oozie service.
  2. Click the Configuration tab.
  3. Select Scope > All.
  4. Select Category > All.
  5. In the Search field, type TLS/SSL to show the Oozie TLS/SSL properties.
  6. Edit the following TLS/SSL properties according to your cluster configuration.
    Table 1. Oozie TLS/SSL Properties
    Property Description
    Enable TLS/SSL for Oozie Check this field to enable TLS/SSL for Oozie.
    Oozie TLS/SSL Server Keystore File Location Location of the keystore file on the local file system.
    Oozie TLS/SSL Server JKS Keystore File Password Password for the keystore.
  7. Click Save Changes.
  8. Restart the Oozie service.

Using the Command Line

To configure the Oozie server to use TLS/SSL:
  1. Stop Oozie by running
    sudo /sbin/service oozie stop
  2. To enable TLS/SSL, set the MapReduce version that the Oozie server should work with using the alternatives command.
      Note: The alternatives command is only available on RHEL systems. For SLES, Ubuntu and Debian systems, the command is update-alternatives.
    For RHEL systems, to use YARN with TLS/SSL:
    alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https
    For RHEL systems, to use MapReduce (MRv1) with TLS/SSL:
    alternatives --set oozie-tomcat-conf /etc/oozie/tomcat-conf.https.mr1
      Important:

    The OOZIE_HTTPS_KEYSTORE_PASS variable must be the same as the password used when creating the keystore file. If you used a password other than password, you'll have to change the value of the OOZIE_HTTPS_KEYSTORE_PASS variable in this file.

  3. Start Oozie by running
    sudo /sbin/service oozie start

Connect to the Oozie Web UI using TLS/SSL (HTTPS)

Use https://oozie.server.hostname:11443/oozie though most browsers should automatically redirect you if you use http://oozie.server.hostname:11000/oozie.

Additional Considerations when Configuring TLS/SSL for Oozie HA

To allow clients to talk to Oozie servers (the target servers) through the load balancer using TLS/SSL, configure the load balancer to perform TLS/SSL pass-through. This allows clients to use the certificate provided by the target servers (so the load balancer will not need one). Consult your load balancer's documentation on how to configure this. Make sure to point the load balancer at the https://HOST:HTTPS_PORT addresses for your target servers. Clients can then connect to the load balancer at https://LOAD_BALANCER_HOST:PORT.

Page generated July 8, 2016.