Verifying TLS for HDFS Transparency
This section describes the steps to verify TLS security on the HDFS Transparency nodes.
Run kinit with a valid keytab to obtain a Kerberos ticket. For more information, see Verifying installation.
To list the files under IBM Storage Scale Hadoop
root directory, run the following commands:
- Verify the secure HDFS Java™ (swebhdfs) client by running
the following command:
where, <HDFS HA Namespace> is defined by the fs.defaultFS parameter in your /var/mmfs/hadoop/etc/hadoop/core-site.xml.# echo “hello world” > /tmp/hello # /usr/lpp/mmfs/hadoop/bin/hdfs dfs -ls swebhdfs://<HDFS HA Namespace>/ # /usr/lpp/mmfs/hadoop/bin/hdfs dfs -put /tmp/hello swebhdfs://<HDFS HA Namespace>/tmp # /usr/lpp/mmfs/hadoop/bin/hdfs dfs -cat swebhdfs://<HDFS HA Namespace >/tmp/hello - Verify the https client by running the following
command:
#curl --cacert /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_cacerts.pem --negotiate -u: https://<CES_HOSTNAME>:50470/webhdfs/v1/?op=LISTSTATUSwhere, <CES_HOSTNAME> is the FQDN hostname corresponding to the CES IP configured for your CES HDFS cluster.
The following command may also be used to verify. However, it bypasses the CA certificate checking. Therefore, it is not recommended other than for troubleshooting purposes.# curl -ku: --negotiate https://<CES_HOSTNAME>:50470/webhdfs/v1/?op=LISTSTATUSNote:- For Non-HA CES HDFS clusters, use the <CES_HOSTNAME>:<port> format instead of Namespace for the hdfs commands.
- For curl commands, always use the <CES_HOSTNAME>:<port> format. For Kerberos enabled clusters, substituting <CES_HOSTNAME> with <CES-IP> will fail with HTTP 401 (Auth) error, as the Kerberos principal is created only for the CES hostname.