This is the documentation for CDH 4.6.0.
Documentation for other versions is available at Cloudera Documentation.

Configuring Oozie to use SSL (HTTPS)

  Important:

The default HTTPS configuration will cause all Oozie URLs to use HTTPS (except for the JobTracker callback URLs, but this is okay because Oozie doesn't inherently trust the callbacks anyway; they are used as hints). This is to simplify configuration (no changes are needed outside of Oozie).

You can use either a certificate from a Certificate Authority or a Self-Signed Certificate. Please follow the first or second section below accordingly; afterwards, all steps are the same.

To use a Self-Signed Certificate There are many ways to create a Self-Signed Certificate, this is just one way.  We will be using the keytool program, which is included with your JRE. If its not on your path, you should be able to find it in $JAVA_HOME/bin.

  1. Run the following command to create a keystore file:
    sudo -u oozie keytool -genkey -alias tomcat -keyalg RSA

    The keystore file will be named .keystore and located in the oozie user's home directory.  

  2. You will now be asked a series of questions in an interactive prompt.  Below is a sample of what this looks like, along with some responses:
    $ sudo -u oozie keytool -genkey -alias tomcat -keyalg RSA
    Enter keystore password:  password
    Re-enter new password: password
    What is your first and last name?
      [Unknown]:  oozie.server.hostname
    What is the name of your organizational unit?
      [Unknown]:  Engineering
    What is the name of your organization?
      [Unknown]:  A Great Company
    What is the name of your City or Locality?
      [Unknown]:  Anywhere
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=oozie.server.hostname, OU=Engineering, O=A Great Company, L=Anywhere, ST=CA, C=US correct?
      [no]:  yes
    
    Enter key password for <tomcat>
    	(RETURN if same as keystore password):
      Important:

    The password you enter for "keystore password" and "key password for <tomcat>" must be the same.  If you want to use a password other than "password", you will need to make an additional change later when configuring the Oozie Server.

      Important:

    The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the Oozie Server will be running.

     
  3. Run the following command to export a certificate file from the keystore file:
    sudo -u oozie keytool -exportcert -alias tomcat -file path/to/where/I/want/my/certificate.cert

To use a Certificate from a Certificate Authority

  1. Make a request to a Certificate Authority in order to obtain a proper Certificate; please consult a Certificate Authority on this procedure.
  2. Once you have your .cert file, run the following command to create a keystore file from your certificate:
    sudo -u oozie keytool -import -alias tomcat -file path/to/certificate.cert

    The keystore file will be named .keystore and located in the oozie user's home directory.

Configure the Oozie Server to use SSL (HTTPS)

  1. Stop Oozie by running
    sudo /sbin/service oozie stop
  2. Edit the value of the CATALINA_BASE variable in the /etc/oozie/conf/oozie-env.sh file by adding "-ssl" to the end of its current value. The current value should either be /usr/lib/oozie/oozie-server-0.20 (for MRv1) or /usr/lib/oozie/oozie-server (for YARN). To enable SSL, the new value should be either /usr/lib/oozie/oozie-server-0.20-ssl or /usr/lib/oozie/oozie-server-ssl depending on which version of Hadoop is being used.
      Important:

    The OOZIE_HTTPS_KEYSTORE_PASS variable must be the same as the password used when creating the keystore file. If you used a password other than password, you'll have to change the value of the OOZIE_HTTPS_KEYSTORE_PASS variable in this file.

  3. Start Oozie by running
    sudo /sbin/service oozie start

Configure the Oozie Client to connect using SSL (HTTPS)

This section only applies if you are using a Self-Signed Certificate.

  Important:

The following steps must be done on every machine where you intend to use the Oozie Client. This is not necessary if you only want to use the Web UI from a browser.  

The first two steps are only necessary if you used a Self-Signed Certificate.

  1. Copy or download the .cert file onto the client machine
  2. Run the following command to import the certificate into the JRE's keystore. This will allow any Java program, including the Oozie client, to connect to the Oozie Server using your certificate.
    sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}

    Where ${JRE_cacerts} is the path to the JRE's certs file.  It's location may differ depending on the Operating System, but its typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME} (you may want to create a backup copy of this file first). The default password is changeit.

  3. When using the Oozie Client, you will need to use https://oozie.server.hostname:11443/oozie instead of http://oozie.server.hostname:11000/oozie – Java will not automatically redirect from the http address to the https address.

Connect to the Oozie Web UI using SSL (HTTPS)

Use https://oozie.server.hostname:11443/oozie though most browsers should automatically redirect you if you use http://oozie.server.hostname:11000/oozie

  Important:

If using a Self-Signed Certificate, your browser will warn you that it can't verify the certificate or something similar. You will probably have to add your certificate as an exception.