Configuring Access to an SSL/TLS-Enabled Cluster
When you use an SSL-enabled or TLS-enabled cluster, you must configure the Informatica domain to communicate with the secure cluster.
Based on the cluster distribution that uses SSL, you perform the following tasks:
- Amazon EMR cluster uses SSL/TLS
- Import security certificates from the cluster to the Informatica domain. If you created a Hive or S3 connection object manually, configure the connection string properties to access the SSL-enabled cluster.
- Cloudera CDH, Cloudera CDP, Dataproc, or Hortonworks HDP cluster uses SSL
- Import security certificates from the cluster to the Informatica domain. If you created a Hive connection manually, configure the connection string properties to access the SSL-enabled cluster.
- MapR cluster uses SSL
- Make sure that the MapR client is configured to communicate with a secure cluster. If you created a Hive connection object manually, configure the connection string properties to access the SSL-enabled cluster.
Configure the Hive Connection for SSL-Enabled Clusters
If you created the Hive connection when you created cluster configurations, the cluster configuration creation wizard enables access to a cluster that uses SSL. If you manually created a Hive connection, you must configure the connection string properties to enable access to a cluster that uses SSL.
If you manually created a Hive connection, add the following property-value pair to the metadata connection string and data access connection string properties:
ssl=true
For example:
jdbc:hive2://<hostname>:<port>/<db>;ssl=true
HINWEIS: Insert the ssl=true flag before the kerberos principal element when you create the Hive connection manually.
Import Security Certificates from an SSL-Enabled Cluster
When you use custom, special, or self-signed security certificates to secure the Hadoop cluster, Informatica services that connect to the cluster require these certificates to be present on the machines that run the application services. Use the keytool utility to import certificates from the cluster.
For more information about the keytool utility, refer to the Oracle documentation.
If a cluster uses SSL, perform the following steps to import security certificates from the cluster to the Data Integration Service and Metadata Access Service machines:
1Run the following keytool -exportcert command on the cluster to export the certificates:
Where:
- - -alias specifies the alias name associated with the truststore file.
- - -keystore specifies the location of the truststore file on the cluster.
- - -file specifies the file name and location for the exported certificate file.
- - -storepass specifies the password for the keystore on the cluster.
The keytool -exportcert command produces a certificate file associated with the alias.
2Run the following keytool -importcert command on one Data Integration Service machine to import the security certificates:
Where:
- - -alias specifies the alias name associated with the certificate file.
- - -file specifies the file name and location of the exported certificate file.
- - -keystore specifies the location of the truststore file on the domain.
- - -storepass specifies the password for the keystore on the domain.
WICHTIG: Importieren Sie die Zertifikatsdateien einmalig und kopieren Sie sie dann auf alle Computer, auf denen sich der Datenintegrationsdienst und der Metadaten-Zugriffsdienst befinden. Wenn der Datenintegrationsdienst in einem Gitter ausgeführt wird, schlagen Mappings, die Sie in die Hadoop-Umgebung übertragen, möglicherweise aufgrund inkonsistenter binärer Hex-Werte mit Initialisierungsfehlern fehl.
Depending on whether the Informatica domain uses SSL, you specify the keystore location as follows:
- - If the domain is SSL-enabled, import the certificate file to the following location:
<Informatica installation directory>/services/shared/security/infa_truststore.jks
- - If the domain is not SSL-enabled, import the certificate file to the following location:
<Informatica installation directory>/java/jre/lib/security/cacerts
The keytool -importcert command imports the security certificates to the keystore location you specify.
Examinieren 1. Example. Import Security Certificates
The environment includes a Cloudera CDH cluster that uses SSL and an Informatica domain that does not use SSL. You export the security certificate for the user bigdata_user1 from the custom.keystore on the Cloudera CDH cluster to the file exported.cer. Then, you import the export.cer certificate file to the Informatica domain location.
- 1Run the following export command:
keytool -exportcert -alias bigdata_user1 -keystore ~/custom.truststore -file ~/exported.cer
- 2Run the following import command on the Data Integration Service machine:
keytool -importcert -alias bigdata_user1 -file ~/exported.cer -keystore <Informatica installation directory>/java/jre/lib/security/cacerts
- 3Copy the certificate file to all other machines that host the Data Integration Service and the Metadata Access Service.
Rules and Guidelines for Importing Security Certificates from an SSL-Enabled Cluster
Consider the following rules and guidelines when you import security certificates from an SSL-enabled cluster:
- •If a MapR cluster is SSL-enabled, you do not have to import the security certificates. Make sure that the MapR client on the Data Integration Service and Metadata Access Service machines is configured to access an SSL-enabled cluster.
- •If a Cloudera CDP cluster is Auto-TLS enabled, import the security certificates before you import the cluster configuration into the domain.
Import Security Certificates from a TLS-Enabled Domain
When the domain is configured to use TLS, you must import the certificates to the default or custom truststore file that the Informatica domain uses.
- Default truststore file
If the domain is TLS-enabled and the cluster uses server managed keys, you must import the Baltimore CyberTrust Root certificate to the default truststore file.
Use the keytool utility to import the security certificate.
The default truststore file is located in the following directory: <Informatica installation home>/services/shared/security/infa_truststore.jks
- Custom truststore file
- If the domain is TLS-enabled with a custom truststore file, and the cluster uses server managed keys, get the custom truststore file location from Informatica Administrator, and then import the Baltimore CyberTrust Root certificate to the custom truststore file.
Use the keytool utility to import the security certificate.
- To get the custom truststore file location, perform the following steps:
- 1In the Administrator tool, click the Manage tab.
- 2Click the Services and Nodes view.
- 3In the Domain Navigator, select the domain.
- 4Get the custom truststore file location from the domain properties.
You can download the Baltimore CyberTrust Root certificates from
https://www.digicert.com/digicert-root-certificates.htm.