...
Panel |
---|
hive.server2.use.SSL – Set this to true. hive.server2.keystore.path – Set this to your keystore path. hive.server2.keystore.password – Set this to your keystore password. |
Info | ||
---|---|---|
| ||
When hive.server2.transport.mode is binary and hive.server2.authentication is KERBEROS, SSL encryption does not currently work. Set hive.server2.thrift.sasl.qop to auth-conf to enable encryption. See HIVE-14019 for details. |
Setting up SSL with self-signed certificates
Use the following steps to create and verify self-signed SSL certificates for use with HiveServer2:
- Create the self signed certificate and add it to a keystore file using: keytool -genkey -alias example.com -keyalg RSA -keystore keystore.jks -keysize 2048
List the keystore entries to verify that the certificate was added. Note that a keystore can contain multiple such certificates: keytool -list -keystore keystore.jks
Export this certificate from keystore.jks to a certificate file: keytool -export -alias example.com -file example.com.crt -keystore keystore.jks
Add this certificate to the client's truststore to establish trust: keytool -import -trustcacerts -alias example.com -file example.com.crt -keystore truststore.jks
Verify that the certificate exists in truststore.jks: keytool -list -keystore truststore.jks
Then start HiveServer2, and try to connect with beeline using: jdbc:hive2://<host>:<port>/<database>;ssl=true;sslTrustStore=<path-to-truststore>;trustStorePassword=<truststore-password>
Selectively disabling SSL protocol versions
To disable specific SSL protocol versions, use the following steps:
- Run openssl ciphers -v (or the corresponding command if not using openssl) to view all protocol versions.
- In addition to 1, an additional step of going over the HiveServer2 logs may be required to see all the protocols that the node running HiveServer2 is supporting. For that, search for "SSL Server Socket Enabled Protocols:" in the HiveServer2 log file.
- Add all the SSL protocols that need to be disabled to hive.ssl.protocol.blacklist. Ensure that the property in hiveserver2-site.xml does not override that in hive-site.xml.
Pluggable Authentication Modules (PAM)
...