Hi All,
I tried to enable TLS on impala version 3.4.0 and I’ve below questions, 1. Should I pass the FQDN as the common name for the certificates in each machine where the impala cluster is running? *(*Without passing the common name I got this error :* F1214 08:54:08.705145 4829 catalogd-main.cc:87] RPC Error: Client for 192.168.33.11:15423 <http://192.168.33.11:15423> hit an unexpected exception: authorize: cannot authorize peer, type: N6apache6thrift9transport13TSSLExceptionE, rpc: N6impala27TRegisterSubscriberResponseE, send: not done*.) 1. Is that required to pass FQDN for the host type startup arguments after enabling TLS? (Examples are given below and highlighted hostname type startup arguments) *I followed bellow steps to enable TLS on Impala 3 node cluster.* 1. Certificate Generation steps, I. *Generate CA: **openssl req -x509 -new -keyout ca-key -out ca-cert -passin “pass:myit123” -passout "pass:myit123" -subj "* */C=SL/ST=Colombo/L=Colombo/O=MyIT/OU=IT/CN=RootCA.com/emailAddress=m...@myit.com* </C=SL/ST=Colombo/L=Colombo/O=MyIT/OU=IT/CN=RootCA.com/emailAddress=m...@myit.com> *"* II. *Generate private key: **openssl genrsa -out private.key 2048 -noout* III. *Generate certificate signing request:** openssl req -new -key private.key -out $(hostname -f)-server.csr -passin "pass:myit123" -subj "/C=LS/ST=Colombo/L=Colombo/O=MyIT/OU=IT/CN=$(hostname -f)/emailAddress= * *m...@myit.com* <m...@myit.com>*"* IV. *Signing the private key and issue public key: **openssl x509 -req -passin "pass:myit123" -in $(hostname -f)-server.csr -CA ca-cert -CAkey ca-key -CAcreateserial -out public.key -days 365*2. Note: steps ii, iii and iv repeated on each machine where Impala cluster is running. (Generated certificates for each machines by passing FQDN as the common name) 1. StatestoreD startup arguments which is run on 192.168.33.11 ( host01.myit.com): statestored -state_store_subscriber_port=15424 -state_store_host=192.168.33.11 -abort_on_config_error=false -webserver_port=15425 -state_store_port=15423 -ssl_server_certificate=/home/senal/public.key -ssl_private_key=/home/senal/private.key -ssl_client_ca_certificate=/home/senal/ca-cert -log_dir=/home/senal/logs 1. CataogD startup arguments which is run on 192.168.33.11 ( host01.myit.com): catalogd -catalog_service_port=15426 *-state_store_host=host01.myit.com <http://host01.myit.com>* -abort_on_config_error=false -webserver_port=15427 -state_store_port=15423 -ssl_server_certificate=/home/senal/public.key -catalog_service_host=192.168.33.11 -ssl_private_key=/home/senal/private.key -ssl_client_ca_certificate=/home/senal/ca-cert -log_dir=/home/senal/logs 1. ImpalaD1 startup arguments which is run on 192.168.33.11 ( host01.myit.com): impalad -catalog_service_port=15426 -fe_service_threads=800 *-state_store_host=host01.myit.com <http://host01.myit.com>* -abort_on_config_error=false -hs2_http_port=15429 -state_store_port=15423 *-catalog_service_host=host01.myit.com <http://host01.myit.com>* -hs2_port=15428 -beeswax_port=15432 -be_port=15433 -state_store_subscriber_port=15424 -scratch_dirs=/home/senal/tmp -webserver_port=15430 -kudu_master_hosts=192.168.33.11:15401,192.168.33.12:15401, 192.168.33.10:15401 -ssl_server_certificate=/home/senal/public.key -ssl_private_key=/home/senal/private.key -ssl_client_ca_certificate=/home/senal/ca-cert -krpc_port=15431 -log_dir=/home/senal/logs Impala shell login: *impala-shell -i host01.myit.com:15432 <http://host01.myit.com:15432> --ca_cert /home/senal/ca-cert –ssl* 1. ImpalaD2 startup arguments which is run on 192.168.33.12 ( host02.myit.com): impalad -catalog_service_port=15426 -fe_service_threads=800 *-state_store_host=host01.myit.com <http://host01.myit.com>* -abort_on_config_error=false -hs2_http_port=15429 -state_store_port=15423 *-catalog_service_host=host01.myit.com <http://host01.myit.com>* -hs2_port=15428 -beeswax_port=15432 -be_port=15433 -state_store_subscriber_port=15424 -scratch_dirs=/home/senal/tmp -webserver_port=15430 -kudu_master_hosts=192.168.33.11:15401,192.168.33.12:15401, 192.168.33.10:15401 -ssl_server_certificate=/home/senal/public.key -ssl_private_key=/home/senal/private.key -ssl_client_ca_certificate=/home/senal/ca-cert -krpc_port=15431 -log_dir=/home/senal/logs Impala shell login: *impala-shell -i host02.myit.com:15432 <http://host02.myit.com:15432> --ca_cert /home/senal/ca-cert –ssl* 1. ImpalaD3 startup arguments which is run on 192.168.33.10 ( host03.myit.com): impalad -catalog_service_port=15426 -fe_service_threads=800 *-state_store_host=host01.myit.com <http://host01.myit.com>* -abort_on_config_error=false -hs2_http_port=15429 -state_store_port=15423 *-catalog_service_host=host01.myit.com <http://host01.myit.com>* -hs2_port=15428 -beeswax_port=15432 -be_port=15433 -state_store_subscriber_port=15424 -scratch_dirs=/home/senal/tmp -webserver_port=15430 -kudu_master_hosts=192.168.33.11:15401,192.168.33.12:15401, 192.168.33.10:15401 -ssl_server_certificate=/home/senal/public.key -ssl_private_key=/home/senal/private.key -ssl_client_ca_certificate=/home/senal/ca-cert -krpc_port=15431 -log_dir=/home/senal/logs Impala shell login: *impala-shell -i host03.myit.com:15432 <http://host03.myit.com:15432> --ca_cert /home/senal/ca-cert –ssl* Thanks & Regards, Senal Weerasinghe
