Configuring SSL

Note: In this documentation, "SSL" indicates both TLS (Transport Layer Security) and SSL (Secure Sockets Layer). The connector supports industry-standard versions of TLS/SSL.

If you are connecting to a Hive server that has Secure Sockets Layer (SSL) enabled, you can configure the connector to connect to an SSL-enabled socket. When connecting to a server over SSL, the connector uses one-way authentication to verify the identity of the server.

One-way authentication requires a signed, trusted SSL certificate for verifying the identity of the server. You can configure the connector to access a specific TrustStore or KeyStore that contains the appropriate certificate. If you do not specify a TrustStore or KeyStore, then the connector uses the default Java TrustStore named jssecacerts. If jssecacerts is not available, then the connector uses cacerts instead.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure SSL:

  1. Set the SSL property to 1.
  2. If you are not using one of the default Java TrustStores, then do one of the following:
    • Create a TrustStore and configure the connector to use it:
      1. Create a TrustStore containing your signed, trusted server certificate.
      2. Set the SSLTrustStore property to the full path of the TrustStore.
      3. Set the SSLTrustStorePwd property to the password for accessing the TrustStore.
      4. If the TrustStore is not a JKS TrustStore, set the SSLTrustStoreType property to the correct type. The supported types are:
        1. SSLTrustStoreType=BCFKS (BouncyCastle FIPS Keystore)
        2. SSLTrustStoreType=PKCS12 (Public Key Cryptography Standards #12)
          Note:

          SSLTrustStoreType=PKCS11 (Public Key Cryptography Standards #11) TrustStore type is not supported.

      5. To specify a Java Security API provider, set the SSLTrustStoreProvider property to the name of the provider.
    • Or, create a KeyStore and configure the connector to use it:
      1. Create a KeyStore containing your signed, trusted server certificate.
      2. Set the SSLKeyStore property to the full path of the KeyStore.
      3. Set the SSLKeyStorePwd property to the password for accessing the KeyStore.
      4. If the KeyStore is not a JKS KeyStore, set the SSLKeyStoreType property to the correct type.
      5. To specify a Java Security API provider, set the SSLKeyStoreProvider property to the name of the provider.
  3. Optionally, to allow the SSL certificate used by the server to be self-signed, set the AllowSelfSignedCerts property to 1.
    Important:

    When the AllowSelfSignedCerts property is set to 1, SSL verification is disabled. The connector does not verify the server certificate against the trust store, and does not verify if the server's host name matches the common name or subject alternative names in the server certificate.

  4. Optionally, to allow the common name of a CA-issued certificate to not match the host name of the Hive server, set the CAIssuedCertNamesMismatch property to 1.

For example, the following connection URL connects to a data source using username and password authentication, with SSL enabled:

jdbc:hive2://localhost:10000;AuthMech=3;SSL=1; SSLKeyStore=C:\\Users\\bsmith\\Desktop\\keystore.jks;SSLKeyStorePwd=simbaSSL123;UID=hs2;PWD=simba123

jdbc:hive://localhost:;AuthMech=3;SSL=1; SSLKeyStore=C:\\Users\\bsmith\\Desktop\\keystore.jks;SSLKeyStorePwd=simbaSSL123;UID=hive;PWD=simba123

Note:

For more information about the connection properties used in SSL connections, see Connector Configuration Options.