Connect to Impala with TLS (SSL) Enabled

This applies to: Visual Data Discovery

You can connect to the Impala data source with TLS/SSL network-level encryption to secure your data while working with your data source.

Prerequisites

For Impala:

• Before you proceed, make sure that TLS is configured for Impala using either Cloudera Manager or the Command Line interface.

• Impala's TLS configuration requires an x509 certificate that will identify the Impala daemon to clients during TLS connections. Production usage of TLS usually implies purchasing the necessary certificates from a commercial Certificate Authority (CA), while development environments can use self-signed certificates. If you have either a rootCA from the trusted CA or a self-signed certificate in PEM format you can verify your Impala TLS configuration using the openssl utility:

  openssl s_client -connect <impala_host>:port -CAfile <certificate.pem>

For Symphony Server/Impala Connector:

• There is no particular configuration related to TLS from the point of view of Symphony components. However, the client must have a Java truststore with a correct certificate (for example, a root certificate provided by some CA) installed. This means that the truststore must be accessible to the Symphony Server/Impala connector.

• To list all the certificates installed in the Java truststore, use the keytool utility:

  keytool -v -list -keystore <path_to_truststore> -storetype jks -storepass <truststore_password>

After you have the Java truststore configured, enabling SSL from Symphony’s perspective is a matter of composing the correct JDBC URL.

Creating a JDBC URL with the TLS Parameters

To specify the TLS-related parameters, use the following template for a JDBC URL:

jdbc:hive2://<impala_host>:<port>/;ssl=true;sslTrustStore=<path_to_truststore>;
trustStorePassword=<truststore_password>;auth=noSasl 

where:

• ssl=true is a required parameter for enabling TLS encryption.

• path_to_truststore is the path to a Java truststore which contains either a certificate issued by a trusted CA or a self-signed certificate (not recommended and shouldn’t be used in a production environment).

  Make sure that the Symphony server/connector process has read access privileges to the truststore file.

• truststore_password is the password to access the truststore.

• auth=noSasl is a required parameter when no authentication or simple user/password authentication is used.

Use TLS Encryption with Kerberos Authentication

See Connect to a Kerberized CDH Cluster for more details on enabling Kerberos authentication. The template for a JDBC URL containing both TLS and Kerberos parameters is as follows:

jdbc:hive2://<impala_host>:<port>/;principal=<impala_principal>;ssl=true;
sslTrustStore=<path_to_truststore>;trustStorePassword=<truststore_password>

You do not need to specify the auth=noSasl parameter when using Kerberos authentication.