Connecting to Impala with TLS (SSL) Enabled
You can connect to the Impala data source with TLS/SSL network-level encryption to secure your data while working with your data source.
- Before you proceed, make sure that TLS is configured for Impala using either Cloudera Manager or the Command Line interface .
Impala's TLS configuration requires an x509 certificate that will identify the Impala daemon to clients during TLS connections. Production usage of TLS usually implies purchasing the necessary certificates from a commercial Certificate Authority (CA), while development environments can use self-signed certificates. If you have either a
rootCA from the trusted CA
self-signed certificate in PEM format you can verify your Impala TLS configuration using the
openssl s_client -connect impala_host:port -CAfile certificate.pem
For Zoomdata Server/Impala Connector:
- There is no particular configuration related to TLS from the point of view of Zoomdata components. However, the client must have a Java truststore with a correct certificate (for example, a root certificate provided by some CA) installed. This means that the truststore must be accessible to the Zoomdata Server/Impala connector.
To list all the certificates installed in the Java truststore, use the
keytool -v -list -keystore path_to_truststore -storetype jks -storepasstruststore_password
Once you have the Java truststore configured, enabling SSL from Zoomdata’s perspective is a matter of composing the correct JDBC URL.
Creating a JDBC URL with the TLS parameters
To specify the TLS-related parameters, use the following template for a JDBC URL:
ssl=trueis a required parameter for enabling TLS encryption.
path_to_truststoreis the path to a Java truststore which contains either a certificate issued by a trusted CA or a self-signed certificate (not recommended and shouldn’t be used in a production environment).
truststore_passwordis the password to access the truststore .
auth=noSaslis a required parameter when no authentication or simple user/password authentication is used.
See Connecting to a Kerberized CDH Cluster for details on enabling Kerberos authentication. The template for a JDBC URL containing both TLS and Kerberos parameters is as follows:
auth=noSaslparameter when using Kerberos authentication.
Was this topic helpful?