Importing self-signed certificates from MDS server to a Java truststore

Client applications such as IDEs and utilities must trust the Metadata Service (MDS) if it is configured to use a self-signed certificate. The software installations use self-signed certificates as default setting.

About this task

The following procedure gives instructions to import a self-signed certificate into a truststore for use by the client utilities.

Procedure

To import the certificate into your truststore, complete the following steps:

  1. On a client workstation from where you intend to connect to MDS, get the certificate served by thrift server. 
    echo QUIT | openssl s_client -showcerts -connect <hive-metastore-host>:<nodeport> | awk '/-----BEGIN CERTIFICATE-----/ {p=1}; p; /-----END CERTIFICATE-----/ {p=0}' > hms.cert
  2. Use one of the following methods to add certificate to truststore:
    1. Add to your existing Java™ truststore. 
      keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias hms-cert -file ./hms.cert
    2. Create a Java truststore. 
      keytool -import -alias hms-cert -file ./hms.cert -keystore ./hms-truststore.jks
  3. Check whether the certificate is imported correctly.
    1. If you added the certificate to existing Java truststore, run the following command: 
      keytool -list -v -cacerts -storepass changeit -alias hms-cert
      Note: changeit is the default password for the cacerts in Java.
    2. If you created a new Java truststore, run the following command: 
      keytool -list -v -keystore ./hms-truststore.jks -alias hms-cert