3. HTTPS Encryption

Encryption over the HTTP protocol is implemented with support for SSL across your Hadoop cluster.

To enable WebHDFS to listen for HTTP over SSL, configure SSL on the NameNode and all DataNodes by setting dfs.https.enable=true in the hdfs-site.xml file.

Most commonly SSL is configured to authenticate only the Server, a mode called 1-way SSL. For 1-way SSL you only need to configure the keystore on the NameNode and each DataNode, using the properties shown in the table below. These parameters are set in the ssl-server.xml file on the NameNode and each of the DataNodes.

SSL can also be configured to authenticate the client, a mode called mutual authentication or 2-way SSL. To configure 2-way SSL also set dfs.client.https.need-auth=true in the hdfs-site.xml file on the NameNode and each DataNode. The truststore configuration is only needed when using a self-signed certificate or a certificate that is not in the JVM's truststore.

The following configuration properties need to be specified in ssl-server.xml and ssl-client.xml.

Table 5.1. Configuration Properties in ssl-server.xml
Property Default Value Description
ssl.server.keystore.type JKS The type of the keystore, JKS = Java Keystore, the de-facto standard in Java
ssl.server.keystore.location None The location of the keystore file
ssl.server.keystore.password None The password to open the keystore file
ssl.server truststore.type JKS The type of the trust store
ssl.server.truststore.location None The location of the truststore file
ssl server.truststore.password None The password to open the trustsore

The following diagram shows an HTTP or REST client's interaction with the NameNode and the DataNodes over HTTPS.