Configure SSL for HttpFS

About this task

To configure SSL security for HttpFS, complete the following steps on a secure cluster:

Procedure

  1. Rename the existing server.xml file (/opt/mapr/hadoop/httpfs/tomcat/conf/server.xml.https) to server.xml.orig, to preserve the original version. 
    sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.orig
  2. Replace server.xml with server.xml.https. 
    sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.https /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml
  3. Verify that the following file exists: /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin

    This file may have been renamed to context.xml to configure PAM authentication for HttpFS. However, to configure SSL for HttpFS, rename the file back to context.xml.jpamLogin.

    mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin
  4. To enable certificate-based authentication, perform the following steps:
    1. In web.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/web.xml), un-comment the following section: 
      <security-constraint>
<web-resource-collection>
  <web-resource-name>Protected Context</web-resource-name>
  <url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
   <role-name>sample</role-name>
</auth-constraint>
<user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
 
<security-role>
  <role-name>sample</role-name>
</security-role>
 
<login-config>
  <auth-method>CLIENT-CERT</auth-method>
</login-config>
    2. Verify that tomcat-users.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/tomcat-users.xml) contains the roles and users in the certificates. 
      <tomcat-users>
    <role rolename="sample"/>
    <user name="CN=<hostname>" password="null" roles="sample" />
</tomcat-users>
      NOTE: The name value should include information from your certificate. For example: 
      <tomcat-users>
  		<role rolename="sample"/>
  		<user name="CN=www.mapr.com, OU=mapr, O=mapr, L=San Jose, ST=San Jose, C=CA" password="null" roles="sample" />
</tomcat-users>
      You can run the following command to view the contents of the certificate file: 
      openssl x509 -text -in /opt/mapr/hue/hue-<version>/cert.pem
  5. Restart the HttpFS server. 
    maprcli node services -name httpfs -action restart -nodes <space delimited list of nodes>
  6. Run one of the following curl commands to check that https is enabled. These commands fetch the file some_file.txt from MapR-FS under /user/mapr and attempts to open it securely over https.

    • Verify that HTTPS is enabled

      curl -k "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt?op=open&user.name=mapr"
    • If you also configure Hue to use SSL encryption with certificate-based authentication for communication with HttpFS , run the following command:

      Verify that HTTPS is enabled with certificate-based authentication

      curl --cert /opt/mapr/hue/hue-<version>/cert.pem --key /opt/mapr/hue/hue-<version>/hue_private_keystore.pem "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt?op=open&user.name=mapr"