Security
Also available as:
PDF
loading table of contents...

Enable SSL on WebHBase and the HBase REST API

Perform the following task to enable SSL on WebHBase and HBase REST API.

[Note]Note

In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Configure SSL for Knox.

  1. Verify that the HBase REST API is running, on the HBase Master run:

    curl http://localhost:60080/

    If the rest daemon is not running on that port, run the following command to start it:

    sudo /usr/hdp/version/hbase/bin/hbase-daemon.sh start rest -p 60080

  2. Create and install an SSL certificate for HBase, for example to use a self-signed certificate:

    1. Create an HBase keystore:

      su -l hbase -c "keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore hbase.jks" 
    2. Export the certificate:

      su -l hbase -c "keytool -exportcert -alias hbase -file certificate.cert -keystore hbase.jks"
    3. Add certificate to the Java keystore:

      • If you are not root run:

        sudo keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts 
      • If you are root:

        keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts 
  3. Add the following properties to the hbase-site.xml configuration file on each node in your HBase cluster:

    <property>
        <name>hbase.ssl.enabled</name>
        <value>true</value>
    </property>
    
    <property>
        <name>hadoop.ssl.enabled</name>
        <value>true</value>
    </property>
                                
    <property>
        <name>hbase.rest.ssl.enabled</name>
        <value>true</value>
    </property>
    
    <property>
        <name>hbase.rest.ssl.keystore.store</name>
        <value>/path/to/keystore</value>
    </property>
    
    <property>
        <name>hbase.rest.ssl.keystore.password</name>
        <value>keystore-password</value>
    </property>
    
    <property>
        <name>hbase.rest.ssl.keystore.keypassword</name>
        <value>key-password</value>
    </property>

  4. Restart all HBase nodes in the cluster.

[Note]Note

For clusters using self-signed certificates: Define the truststore as a custom property on the JVM. If the self-signed certificate is not added to the system truststore (cacerts), specify the Java KeyStore (.jks) file containing the certificate in applications by invoking the javax.net.ssl.trustStore system property. Run the following command argument in the application client container to use a self-signed certificate in a .jks file:

-Djavax.net.ssl.trustStore=/path/to/keystore