TLS/SSL for when client applications connect to Arcadia Engine

To enable Beeswax and HiveServer2 for SSL/TLS.

Once setup, within arcadia visualization server you can switch other to SSL socket type in the connection settings:

  • image

If running Cloudera Manager, then ensure the following settings are enabled:

  • Enable TLS/SSL check that box
  • TLS/SSL Server Certificate File (PEM Format)
  • TLS/SSL Server Private Key File (PEM Format)

On other systems, you can set the following ArcEngine command line arguments:

  • –ssl_server_certificate: the full path to the server certificate, on the local filesystem.
  • –ssl_private_key: the full path to the server private key, on the local filesystem.

For example on Ambari installations, you can specify them here:

-or -

manually through optional parameters:

image

1 Like

Ambari install - using password protected keys

Certificate and key in PEM format and with a passphrase encrypting it.
In Ambari, make the below changes in the UI to specify the cert and key:

Currently Arcadia stacks installation does not allow specifying the passphrase to use, restarting the service will cause ArcEngine to fail to start with a stack trace indicating a bad password. However, by adding the required option (ssl_private_key_password_cmd) into the ArcEngine optional parameters box (see below), the service started successfully.

Note: The value for the option needs to be an executable that returns the password to use.
Example script using “echo” command to output the passphrase as a text string:

#!/bin/bash
echo passphrase

Then change the socket type to SSL or SSL with certificate however, the connection is made successfully…


Checking in the arcengine log, I can see that the values specified in Ambari were picked up on restart :-

–ssl_private_key=/etc/security/serverKeys/keystore_privatekey.pem
–ssl_private_key_password_cmd=/etc/security/serverKeys/passphrase_cmd
–ssl_server_certificate=/etc/security/serverKeys/keystore_certificate.pem

You should also be able to see that SSL is being used e.g. at the end of a query, the arcengine logs show the session shutting down and closing and logging the “SSL_shutdown” :-

I0121 15:25:22.083592 28264 status.cc:122] Session closed
@ 0x8c5979 impala::Status::Status()
@ 0xb8dfaa impala::ImpalaServer::CloseSessionInternal()
@ 0xb8e6f8 impala::ImpalaServer::ConnectionEnd()
@ 0xaae860 impala::ThriftServer::ThriftServerEventProcessor::deleteContext()
@ 0x1c505d3 apache::thrift::server::TThreadPoolServer::Task::run()
@ 0x1c37639 apache::thrift::concurrency::ThreadManager::Worker::run()
@ 0xab4be9 impala::ThriftThread::RunRunnable()
@ 0xab59c2 boost::detail::function::void_function_obj_invoker0<>::invoke()
@ 0xcc3a32 impala::thread::SuperviseThread()
@ 0xcc4194 boost::detail::thread_data<>::run()
@ 0xf5b46a thread_proxy
@ 0x7f3223fdce25 start_thread
@ 0x7f3223d06bad __clone
I0121 15:25:22.083717 28264 thrift-util.cc:123] SSL_shutdown: error code: 0

1 Like