The Security Agent for HDFS is installed on the NameNode. Perform these steps on the NameNode host.
Note | |
---|---|
These steps require a private key for the HDP Security Agent (for client SSL verification) and a valid CA X509 Certificate in JKS format. |
Change the HDP Security Administration Server URL from HTTP to HTTPS in the Security Agent configuration file:
Open the configuration file for editing,
/etc/hadoop/conf/xasecure-hdfs-security.xml
.Change the value in the xasecure.hdfs.policymgr.url property from http to https and update the port as required.
For example, if the current value is http://
$hostname
:6080/service/assets/policyList/$repository_name
change it to https://$hostname
:6080/service/assets/policyList/$repository_name
.
Define the SSL policymgr.clientssl properties in the Security Agent SSL configuration file,
/etc/hadoop/conf/xasecure-policymgr-ssl.xml
as follows:xasecure.policymgr.clientssl.keystore = $JKS_file xasecure.policymgr.clientssl.keystore.password = $keystore_password xasecure.policymgr.clientssl.truststore = $CA_certificate_file
After saving the configuration, restart the NameNode.
On the NameNode host machine, execute the following command:
su -l hdfs -c "/usr/lib/hadoop/sbin/hadoop-daemon.sh stop namenode"
Ensure that the NameNode Service stops completely.
On the NameNode host machine, execute the following command:
su -l hdfs -c "/usr/lib/hadoop/sbin/hadoop-daemon.sh start namenode"
Ensure that the NameNode Service starts correctly.