2.1. Set Up SSL on the HDFS Security Agent

The Security Agent for HDFS is installed on the NameNode. Perform these steps on the NameNode host.

	Note
	These steps require a private key for the HDP Security Agent (for client SSL verification) and a valid CA X509 Certificate in JKS format.

Change the HDP Security Administration Server URL from HTTP to HTTPS in the Security Agent configuration file:
1. Open the configuration file for editing, /etc/hadoop/conf/xasecure-hdfs-security.xml.
2. Change the value in the xasecure.hdfs.policymgr.url property from http to https and update the port as required.
  For example, if the current value is http://$hostname:6080/service/assets/policyList/$repository_name change it to https://$hostname:6080/service/assets/policyList/$repository_name.

Define the SSL policymgr.clientssl properties in the Security Agent SSL configuration file, /etc/hadoop/conf/xasecure-policymgr-ssl.xml as follows:

xasecure.policymgr.clientssl.keystore = $JKS_file
xasecure.policymgr.clientssl.keystore.password = $keystore_password
xasecure.policymgr.clientssl.truststore = $CA_certificate_file

After saving the configuration, restart the NameNode.
1. On the NameNode host machine, execute the following command:
```
su -l hdfs -c "/usr/lib/hadoop/sbin/hadoop-daemon.sh stop namenode"
```
  Ensure that the NameNode Service stops completely.
2. On the NameNode host machine, execute the following command:
```
su -l hdfs -c "/usr/lib/hadoop/sbin/hadoop-daemon.sh start namenode"
```
  Ensure that the NameNode Service starts correctly.

Legal notices