The Hadoop SSL Keystore Factory manages SSL for Hadoop core services that communicate with other cluster services over HTTP, that is MapReduce, YARN, and HDFS. While components that have services that are typically not distributed or only recieve HTTP connections directly from clients use the built-in Java JDK SSL tools, such as HBase, and Oozie.
The following table shows the Hadoop cluster services that use HTTP and support SSL for wire encryption.
Table 3.2. Compontents that Support SSL
| Component | Service | SSL Management |
|---|---|---|
| HDFS | WebHDFS | Hadoop SSL Keystore Factory |
| MapReduce | Shuffle | Hadoop SSL Keystore Factory |
| TaskTracker | Hadoop SSL Keystore Factory | |
| Yarn | Resource Manager | Hadoop SSL Keystore Factory |
| JobHistory | Hadoop SSL Keystore Factory | |
| Hive | HiveServer2 | Configured in hive-site.xml |
| HBase | REST API | Configured in hbase-site.xml |
| Solr | JDK: User and default | |
| Accumulo | JDK: User and default | |
| Falcon | REST API | JDK: User and default |
| Oozie | Configured in oozie-site.xml | |
| Knox | Hadoop cluster (REST client) | JDK: default only |
| Knox Gateway server | JDK: User and default | |
| HDP Security Administration | Server/Agent | JDK: User and default |
When enabling support for SSL, it is important to know which SSL Management method is used by the Hadoop service. Services that are co-located on a host must have the server certificate and keys, and in some cases the client truststore, configured in both the Hadoop SSL Keystore Factory and JDK locations. When using CA signed certiticates, configure the Hadoop SSL Keystore Factory to use the Java keystore and truststore locations.
The following describes the major differences between certificates managed by JDK and the Hadoop SSL Keystore Factory:
Hadoop SSL Keystore Management Factory:
Supports only JKS formatted keys
Supports toggling the shuffle between HTTP and HTTPS.
Supports two way certificate and name validation.
Uses a common location for both the keystore and truststore that is available to other Hadoop core services.
Allows you to manage SSL in a centeral location and progate changes to all cluster nodes.
Automatically reloads the keystore and truststore without restarting services.
SSL Management with JDK:
Allows either HTTP or HTTPS.
Uses hardcoded locations for truststores and keystores that may vary between hosts. And generally requires you to generate key pairs and import certificates on each host.
Requires the service to be restarted to reload the keystores and truststores.
Requires certificates to be installed in the client CA truststore.
![[Note]](../common/images/admon/note.png)
Note For more information on JDK SSL Management, see Using SSL in Chapter 2: Monitoring and Managing Using JDK.
