This page explains additional steps for using SSL (Secure Sockets Layer) encryption in Hive on MR3.

  • For simplicity, secure shuffle is not enabled. See Using the MR3 Shuffle Handler for details.
  • For simplicity, secure connection to database servers for Metastore and Ranger is not enabled. See Enabling SSL for details.
In order to run Ranger with SSL, Kerberos should be used for authentication.

Certificates and secrets

Create certificates and secrets by following the instruction in Creating certificates and secrets for SSL.

Copy hivemr3-ssl-certificate.jceks and hivemr3-ssl-certificate.jks in the directories key,ranger-key, and timeline-key.

$ ls key/*{jceks,jks}
key/hivemr3-ssl-certificate.jceks  key/hivemr3-ssl-certificate.jks

$ ls ranger-key/*{jceks,jks}
ranger-key/hivemr3-ssl-certificate.jceks  ranger-key/hivemr3-ssl-certificate.jks

$ ls timeline-key/*{jceks,jks}
timeline-key/hivemr3-ssl-certificate.jceks timeline-key/hivemr3-ssl-certificate.jks

Update as follows:

$ vi


  • CREATE_KEYTAB_SECRET specifies whether or not to create a Secret from files in the directory key and should be set to true.
  • CREATE_WORKER_SECRET specifies whether or not to create a Secret for MR3 ContainerWorkers.
  • HIVE_SERVER2_SSL_TRUSTSTOREPASS and HADOOP_CREDSTORE_PASSWORD should be set to the password for KeyStores and TrustStores (specified when creating certificates and secrets). HADOOP_CREDSTORE_PASSWORD should be appended to the values of the configuration keys and mr3.container.launch.env in conf/mr3-site.xml.
    $ vi conf/mr3-site.xml

Configuring for SSL Encryption

Follow the instructions in Configuring for SSL Encryption.