Ambari install - using password protected keys
Certificate and key in PEM format and with a passphrase encrypting it.
In Ambari, make the below changes in the UI to specify the cert and key:
Currently Arcadia stacks installation does not allow specifying the passphrase to use, restarting the service will cause ArcEngine to fail to start with a stack trace indicating a bad password. However, by adding the required option (ssl_private_key_password_cmd) into the ArcEngine optional parameters box (see below), the service started successfully.
Note: The value for the option needs to be an executable that returns the password to use.
Example script using “echo” command to output the passphrase as a text string:
Then change the socket type to SSL or SSL with certificate however, the connection is made successfully…
Checking in the arcengine log, I can see that the values specified in Ambari were picked up on restart :-
You should also be able to see that SSL is being used e.g. at the end of a query, the arcengine logs show the session shutting down and closing and logging the “SSL_shutdown” :-
I0121 15:25:22.083592 28264 status.cc:122] Session closed
@ 0x8c5979 impala::Status::Status()
@ 0xb8dfaa impala::ImpalaServer::CloseSessionInternal()
@ 0xb8e6f8 impala::ImpalaServer::ConnectionEnd()
@ 0xaae860 impala::ThriftServer::ThriftServerEventProcessor::deleteContext()
@ 0x1c505d3 apache::thrift::server::TThreadPoolServer::Task::run()
@ 0x1c37639 apache::thrift::concurrency::ThreadManager::Worker::run()
@ 0xab4be9 impala::ThriftThread::RunRunnable()
@ 0xab59c2 boost::detail::function::void_function_obj_invoker0<>::invoke()
@ 0xcc3a32 impala::SuperviseThread()
@ 0xcc4194 boost::detail::thread_data<>::run()
@ 0xf5b46a thread_proxy
@ 0x7f3223fdce25 start_thread
@ 0x7f3223d06bad __clone
I0121 15:25:22.083717 28264 thrift-util.cc:123] SSL_shutdown: error code: 0