Zoomdata Version

Connecting to Impala with TLS (SSL) Enabled

You can connect to the Impala data source with TLS/SSL network-level encryption to secure your data while working with your data source.

Prerequisites

For Impala:

Before you proceed, make sure that TLS is configured for Impala using either Cloudera Manager or the Command Line interface .

Impala's TLS configuration requires an x509 certificate that will identify the Impala daemon to clients during TLS connections. Production usage of TLS usually implies purchasing the necessary certificates from a commercial Certificate Authority (CA), while development environments can use self-signed certificates. If you have either a rootCA from the trusted CA or a self-signed certificate in PEM format you can verify your Impala TLS configuration using the openssl utility:

openssl s_client -connect impala_host : port -CAfile certificate.pem

For Zoomdata Server:

There is no particular configuration related to TLS on Zoomdata server’s side.  However, the client must have a Java truststore with a correct certificate (for example, a root certificate provided by a CA) installed. To list all the certificates installed in the Java truststore, use the keytool utility:

keytool -v -list -keystore path_to_truststore -storetype jks -storepass truststore_password

Once you have the java truststore configured, enabling SSL from Zoomdata’s perspective is a matter of composing the correct JDBC URL.

Creating a JDBC URL with the TLS parameters

To specify the TLS-related parameters, use the following template for a JDBC URL:

jdbc:hive2:// impala_host : port /;ssl=true;sslTrustStore= path_to_truststore ;trustStorePassword= truststore_password ;auth=noSasl

Where:

  • ssl=true is the required parameter for enabling TLS encryption

  • path_to_truststore is the path to a Java truststore which contains either a certificate issued by a trusted CA or a self-signed certificate (not recommended and shouldn’t be used in a production environment)

Make sure that the Zoomdata Server process has "Read" access privileges to the truststore file.
  • truststore_password is the password to access the truststore
  • auth=noSasl is the required parameter when no authentication or simple user/password authentication is used

Using TLS ENCRYPTION along with KERBEROS authentication

Refer to Connecting to Impala on Kerberized CDH cluster article for more details on enabling Kerberos authentication. The template for a JDBC URL containing both TLS and Kerberos  parameters is as follows:

jdbc:hive2:// impala_host : port /;principal= impala_principal ;ssl=true;sslTrustStore= path_to_truststore ;trustStorePassword= truststore_password
Keep in mind that you don't have to specify the auth=noSasl parameter when using Kerberos authentication.