Configuring Access to an SSL/TLS-Enabled Cluster
When you use an SSL-enabled or TLS-enabled cluster, you must configure the Informatica domain to communicate with the secure cluster.
Based on the cluster distribution that uses SSL, you perform the following tasks:
- Amazon EMR cluster uses SSL/TLS
- Import security certificates from the cluster to the Informatica domain. If you created a Hive or S3 connection object manually, configure the connection string properties to access the SSL-enabled cluster.
- Cloudera CDH, Cloudera CDP, Dataproc, or Hortonworks HDP cluster uses SSL
- Import security certificates from the cluster to the Informatica domain. If you created a Hive connection manually, configure the connection string properties to access the SSL-enabled cluster.
- MapR cluster uses SSL
- Make sure that the MapR client is configured to communicate with a secure cluster. If you created a Hive connection object manually, configure the connection string properties to access the SSL-enabled cluster.
Configure the Hive Connection for SSL-Enabled Clusters
If you created the Hive connection when you created cluster configurations, the cluster configuration creation wizard enables access to a cluster that uses SSL. If you manually created a Hive connection, you must configure the connection string properties to enable access to a cluster that uses SSL.
If you manually created a Hive connection, add the following property-value pair to the metadata connection string and data access connection string properties:
ssl=true
For example:
jdbc:hive2://<hostname>:<port>/<db>;ssl=true
Note: Insert the ssl=true flag before the kerberos principal element when you create the Hive connection manually.
Import Security Certificates from an SSL-Enabled Cluster
When you use custom, special, or self-signed security certificates to secure the Hadoop cluster, Informatica services that connect to the cluster require these certificates to be present on the machines that run the application services. Use the keytool utility to import certificates from the cluster.
For more information about the keytool utility, refer to the Oracle documentation.
If a cluster uses SSL, perform the following steps to import security certificates from the cluster to the Data Integration Service and Metadata Access Service machines:
1. Run the following keytool -exportcert command on the cluster to export the certificates:
Where:
- - -alias specifies the alias name associated with the truststore file.
- - -keystore specifies the location of the truststore file on the cluster.
- - -file specifies the file name and location for the exported certificate file.
- - -storepass specifies the password for the keystore on the cluster.
The keytool -exportcert command produces a certificate file associated with the alias.
2. Run the following keytool -importcert command on one Data Integration Service machine to import the security certificates:
Where:
- - -alias specifies the alias name associated with the certificate file.
- - -file specifies the file name and location of the exported certificate file.
- - -keystore specifies the location of the truststore file on the domain.
- - -storepass specifies the password for the keystore on the domain.
Important: Import the certificate files one time and then copy them to all machines that host the Data Integration Service and Metadata Access Service. If the Data Integration Service runs on a grid, mappings that you push to the Hadoop environment can fail with initialization errors due to inconsistent binary hex values.
Depending on whether the Informatica domain uses SSL, you specify the keystore location as follows:
- - If the domain is SSL-enabled, import the certificate file to the following location:
<Informatica installation directory>/services/shared/security/infa_truststore.jks
- - If the domain is not SSL-enabled, import the certificate file to the following location:
<Informatica installation directory>/java/jre/lib/security/cacerts
The keytool -importcert command imports the security certificates to the keystore location you specify.
Example 1. Example. Import Security Certificates
The environment includes a Cloudera CDH cluster that uses SSL and an Informatica domain that does not use SSL. You export the security certificate for the user bigdata_user1 from the custom.keystore on the Cloudera CDH cluster to the file exported.cer. Then, you import the export.cer certificate file to the Informatica domain location.
- 1. Run the following export command:
keytool -exportcert -alias bigdata_user1 -keystore ~/custom.truststore -file ~/exported.cer
- 2. Run the following import command on the Data Integration Service machine:
keytool -importcert -alias bigdata_user1 -file ~/exported.cer -keystore <Informatica installation directory>/java/jre/lib/security/cacerts
- 3. Copy the certificate file to all other machines that host the Data Integration Service and the Metadata Access Service.
Rules and Guidelines for Importing Security Certificates from an SSL-Enabled Cluster
Consider the following rules and guidelines when you import security certificates from an SSL-enabled cluster:
- •If a MapR cluster is SSL-enabled, you do not have to import the security certificates. Make sure that the MapR client on the Data Integration Service and Metadata Access Service machines is configured to access an SSL-enabled cluster.
- •If a Cloudera CDP cluster is Auto-TLS enabled, import the security certificates before you import the cluster configuration into the domain.
Import Security Certificates from a TLS-Enabled Domain
When the domain is configured to use TLS, you must import the certificates to the default or custom truststore file that the Informatica domain uses.
- Default truststore file
If the domain is TLS-enabled and the cluster uses server managed keys, you must import the Baltimore CyberTrust Root certificate to the default truststore file.
Use the keytool utility to import the security certificate.
The default truststore file is located in the following directory: <Informatica installation home>/services/shared/security/infa_truststore.jks
- Custom truststore file
- If the domain is TLS-enabled with a custom truststore file, and the cluster uses server managed keys, get the custom truststore file location from Informatica Administrator, and then import the Baltimore CyberTrust Root certificate to the custom truststore file.
Use the keytool utility to import the security certificate.
- To get the custom truststore file location, perform the following steps:
- 1. In the Administrator tool, click the Manage tab.
- 2. Click the Services and Nodes view.
- 3. In the Domain Navigator, select the domain.
- 4. Get the custom truststore file location from the domain properties.
You can download the Baltimore CyberTrust Root certificates from
https://www.digicert.com/digicert-root-certificates.htm.