With SSL Encryption

This page explains additional steps for using SSL (Secure Sockets Layer) encryption in Hive on MR3. For simplicity, secure connection to database servers for Metastore and Ranger is not enabled. See SSL Encryption for details.

Certificates and secrets

Create certificates and secrets by following the instructions in Creating certificates and secrets for SSL.

Copy hivemr3-ssl-certificate.jceks and hivemr3-ssl-certificate.jks in the directories hive/key,ranger/key, and timeline/key.

ls hive/key/*{jceks,jks}
hive/key/hivemr3-ssl-certificate.jceks  hive/key/hivemr3-ssl-certificate.jks

ls ranger/key/*{jceks,jks}
ranger/key/hivemr3-ssl-certificate.jceks  ranger/key/hivemr3-ssl-certificate.jks

ls timeline/key/*{jceks,jks}
timeline/key/hivemr3-ssl-certificate.jceks timeline/key/hivemr3-ssl-certificate.jks

`hive/values-hive.yaml`, `ranger/values-ranger.yaml`, and `timeline/values-timeline.yaml`

Update hive/values-hive.yaml, ranger/values-ranger.yaml, and timeline/values-timeline.yaml to create Secrets from files in the directories hive/key, ranger/key, and timeline/key.

vi hive/values-hive.yaml

hive:
  createSecret: true

vi ranger/values-ranger.yaml

ranger:
  createSecret: true

vi timeline/values-timeline.yaml

timeline:
  createSecret: true

`hive/env-secret.sh`

Update hive/env-secret.sh as follows.

vi hive/env-secret.sh

HIVE_SERVER2_SSL_TRUSTSTOREPASS=MySslPassword123
export HADOOP_CREDSTORE_PASSWORD=MySslPassword123

HIVE_SERVER2_SSL_TRUSTSTOREPASS and HADOOP_CREDSTORE_PASSWORD should be set to the password for KeyStores and TrustStores (specified when creating certificates and secrets).

HADOOP_CREDSTORE_PASSWORD should be appended to the values of the configuration keys mr3.am.launch.env and mr3.container.launch.env in hive/conf/mr3-site.xml.

vi hive/conf/mr3-site.xml

<name>mr3.am.launch.env</name>
  <value>LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/mr3-run/hadoop/apache-hadoop/lib/native,HADOOP_CREDSTORE_PASSWORD,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION</value>
</property>

<property>
  <name>mr3.container.launch.env</name>
  <value>LD_LIBRARY_PATH=/opt/mr3-run/hadoop/apache-hadoop/lib/native,HADOOP_CREDSTORE_PASSWORD,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION</value>
</property>

`timeline/env.sh`

Update timeline/env.sh as follows.

vi timeline/env.sh

export HADOOP_CREDSTORE_PASSWORD=MySslPassword123

HADOOP_CREDSTORE_PASSWORD should be set to the password for KeyStores and TrustStores (specified when creating certificates and secrets).

Configuring for SSL Encryption

Follow the instructions in Configuring for SSL Encryption.

Certificates and secrets​

hive/values-hive.yaml, ranger/values-ranger.yaml, and timeline/values-timeline.yaml​

hive/env-secret.sh​

timeline/env.sh​

Configuring for SSL Encryption​

Certificates and secrets

`hive/values-hive.yaml`, `ranger/values-ranger.yaml`, and `timeline/values-timeline.yaml`

`hive/env-secret.sh`

`timeline/env.sh`

Configuring for SSL Encryption