SSL Truststore Setup Instructions Between Hive Client and Hive Server
In order to use SSL with HiveServer2, you need to set up a keystore and a truststore.
Overview
Keystore
A keystore is located on the server side. It is a file that contains the private key to decrypt messages. A keystore is not delivered by the JDK. You must create your own keystore and generate the key you want to use for communication. In order to have a valid key, you have to sign your key by an certificate authority (CA) and then import this certificate. You also have the option to import a self generated key into your keystore.
Truststore
A truststore is located on the client side (e.g., Beeline or Datameer). This file contains:
- the public part of the private key from the keystore backed in a certificate (in case of self signed certificates).
- all other root certificates called CA-certificates. These certificates are used to verify if the private key from the server is valid (SSL Handshake).
You can use the truststore provided by the JDK from Oracle. This file is located under $JAVA_HOME/jre/lib/security/cacerts.
For other detailed info see Oracle's KeyStores and TrustStores.
A KeyStore consists of a database containing a private key and an associated certificate, or an associated certificate chain. The certificate chain consists of the client certificate and one or more certification authority (CA) certificates. A TrustStore contains only the certificates trusted by the client (a "trust" store). These certificates are CA root certificates, that is, self-signed certificates.
Hive Server Side
You can turn on SSL to protect the communication between Hive Server and any Hive Client. To do that, edit your hive-site.xml and add the following lines: (The following values are only examples)
<property> <name>hive.server2.use.SSL</name> <value>true</value> <description>enable/disable SSL </description> </property> <property> <name>hive.server2.keystore.path</name> <value>/home/datameer/hive/security/hive.jks</value> <description>path to keystore file</description> </property> <property> <name>hive.server2.keystore.password</name> <value>datameer</value> <description>keystore password</description> </property>
The property hive.server2.keystore.path is a java keystore (JKS) that contains the private key to decrypt messages.
Hive Client Side
The client is using a truststore to hold certificates which are trustworthy. You can define an own truststore or you can use the default truststore provided by Oracle. This truststore is located under $JAVA_HOME/jre/lib/security/cacerts.
There are two types of a certificates you can import into a truststore:
Self signed certificate
Such certificates are not part of the default trust store provided by Oracle located under $JAVA_HOME/jre/lib/security/cacerts. You must import the self signed certificate into your truststore if you want to use self signed certificates for SSL.
CA signed certificate
Instead of generating your own self signed certificate, you can buy a certificate by a Certificate Authority (CA). Oracle trusts many of the CA's. You can take a look into this truststore with the following command:
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
You don't need to import your CA signed certificate into the JDK truststore if your CA, where you bought your cert, is part of the truststore of the JDK.
JDBC connection string
You must define an additional JDBC parameter like sslTrustStore and trustStorePassword if you are using a truststore other than the JDK truststore $JAVA_HOME/jre/lib/security/cacerts. The trustStorePassword can be omitted if you didn't defined one while creating the truststore.
e.g.: jdbc:hive2://ip-10-121-5-48.eu-west-1.compute.internal:10004/default;ssl=true;sslTrustStore=/tmp/truststore.jks;trustStorePassword=datameer
You can import your certificate into the JDK truststore $JAVA_HOME/jre/lib/security/cacerts to avoid the usage of sslTrustStore and trustStorePassword with the url.
e.g.: jdbc:hive2://ip-10-121-5-48.eu-west-1.compute.internal:10004/default;ssl=true
You don't need to import your certificate in any truststores if you have a CA signed certificate and the CA is part of the JDK truststore.
Datameer X recommends to use a valid CA signed certificate for SSL communication between Datameer X and HiveServer 2.
Example - Self Signed Certificate
# Generate Private Key keytool -genkey -alias hiveserver2 -keyalg RSA -keystore /tmp/hs2keystore.jks -keysize 2048 Enter keystore password: datameer Re-enter new password: datameer What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: Engineering What is the name of your organization? [Unknown]: Datameer What is the name of your City or Locality? [Unknown]: Halle (Saale) What is the name of your State or Province? [Unknown]: Saxonia-Anhalt What is the two-letter country code for this unit? [Unknown]: DE Is CN=localhost, OU=QA, O=Datameer X L=Halle (Saale), ST=Saxonia-Anhalt, C=DE correct? [no]: YES Enter key password for <hiveserver2> (RETURN if same as keystore password): <RETURN> # Export Self Signed Certificate keytool -export -alias hiveserver2 -file hiveserver2.crt -keystore /tmp/hs2keystore.jks # Import This self signed certificate into the truststore which can be used by Datameer X or Beeline keytool -import -trustcacerts -alias hiveserver2 -file hiveserver2.crt -keystore /tmp/truststore.jks
Edit hive-site.xml and start the Hive server after saving.
<property> <name>hive.server2.use.SSL</name> <value>true</value> </property> <property> <name>hive.server2.keystore.path</name> <value>/tmp/hs2keystore.jks</value> </property> <property> <name>hive.server2.keystore.password</name> <value>datameer</value> </property>
Use Beeline to verify that the connection is working.
!connect jdbc:hive2://localhost:10000/default;ssl=true;sslTrustStore=/tmp/truststore.jks;trustStorePassword=datameer
Example - CA Signed Certificate
This section demonstrates how you can set up the Hive server keystore and the Hive client truststore.
You have two options to sign a certificate. You can sign your certificate by a popular public CA or you can act as an own CA.
Generate a CA certificate and key. (This is optional if you or your company acts as the CA.)
openssl req -new -x509 -keyout ca-key.pem.txt -out ca-certificate.pem.txt -days 365
Generate a key for HiveServer2.
keytool -keystore h2server.jks -genkey -alias h2server
Generate the Certificate Signing Request (CSR).
keytool -keystore h2server.jks -certreq -alias h2server -keyalg rsa -file h2server.csr
Send this signing request (h2server.csr) to the CA of your choice.
Sign the signing request. (This is optional if you or your company acts as the CA.)
openssl x509 -req -CA ca-certificate.pem.txt -CAkey ca-key.pem.txt -in h2server.csr -out h2server.cer -days 365 -CAcreateserial
Import the CA certificate into the server keystore to have the correct trust chain.
keytool -import -keystore h2server.jks -file ca-certificate.pem.txt -alias theCARoot
Import the signed certificate into the server keystore.
keytool -import -keystore h2server.jks -file h2server.cer -alias h2server
Edit hive-site.xml and start the Hive Server and restart Hive.
<property> <name>hive.server2.use.SSL</name> <value>true</value> </property> <property> <name>hive.server2.keystore.path</name> <value>/tmp/h2server.jks</value> </property> <property> <name>hive.server2.keystore.password</name> <value>datameer</value> </property>
If your CA is already in the default JDK truststore, you can connect Hive directly via a connection string.
jdbc:hive2://localhost:10004/default;ssl=true
If the CA is not in the default cacerts file, you must import the CA certificate on each node of your Hadoop cluster.
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file ca-certificate.pem.txt -alias theCARoot
You can now connect to Hive without any additional keystore or keystore password parameters.
jdbc:hive2://localhost:10004/default;ssl=true