The Security Agents for HBase repositories are installed on the HBase Master and all HBase Regional Servers in the cluster. Perform these steps on all the HBase Security Agent hosts.
Note | |
---|---|
These steps require a private key for the HDP Security Agent (for client SSL verification) and a valid CA X509 Certificate in JKS format. |
Change the HDP Security Administration Server URL from HTTP to HTTPS in the Security Agent configuration file:
Open the configuration file for editing,
/etc/hbase/conf/xasecure-hbase-security.xml
.Change the value in the xasecure.hdfs.policymgr.url property from http to https and update the port as required.
For example, if the current value is http://
$hostname
:6080/service/assets/policyList/$repository_name
change it to https://$hostname
:6080/service/assets/policyList/$repository_name
.
Define the SSL policymgr.clientssl properties in the Security Agent SSL configuration file,
/etc/hbase/conf/xasecure-policymgr-ssl.xml
as follows:xasecure.policymgr.clientssl.keystore = $JKS_file xasecure.policymgr.clientssl.keystore.password = $keystore_password xasecure.policymgr.clientssl.truststore = $CA_certificate_file
After saving the configuration, restart the HBase services.
Execute this command on the HBase Master host machine:
su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf stop master; sleep 25"
Execute this command on all RegionServers:
su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf stop regionserver"
Execute this command on the HBase Master host machine:
su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf start master; sleep 25"
Execute this command on all RegionServers:
su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf start regionserver"