Skip to main content
Version: 2.5.4

Configure a secure TLS/SSL keystore connection to a remote agent

Follow the steps below to set up a keystore to enable Transport Layer Security (TLS)/Secure Sockets Layer (SSL) between Hive Migrator and your remote agents.

Add your agent

Add your remote agent:

note

It may be preferable to set up both client and server side keystores on one node and copy them to their relevant locations after configuration.

Create keystore and generate key for remote server side communication

  1. Generate the keystore:
    keytool -genkey -alias server -storetype JKS -keyalg RSA -keysize 2048 -keystore server.jks -validity 365 -ext SAN="dns:<hostname of remote server node>"

Create keystore and generate key for client side (Hive Migrator) communication

  1. Generate the keystore:
    keytool -genkey -alias client -storetype JKS -keyalg RSA -keysize 2048 -keystore client.jks -validity 365 -ext SAN="dns:<hostname of HVM node>"

Exchange client and server certificates

  1. Add the client side key to the server keystore:
    keytool -importkeystore -srckeystore client.jks -destkeystore server.jks -srcstoretype JKS -deststoretype JKS -srcstorepass <client keystore password> -deststorepass <server keystore password> -srcalias client -destalias client
  2. Add the server side key to the client keystore:
    keytool -importkeystore -srckeystore server.jks -destkeystore client.jks -srcstoretype JKS -deststoretype JKS -srcstorepass <server keystore password> -deststorepass <client keystore password> -srcalias server -destalias server

Update agent.yaml on the server side

  1. Update /etc/wandisco/hivemigrator-remote-server/agent.yaml on the server side by adding the following properties, replace the values with your own:

    Example: agent properties
    agentType: "HIVE"
    remoteAgentConfig:
    port: 5052
    host: "exampleuser02-vm2.example-domain.com"
    sslEnabled: true
    certificateStorageType: "KEYSTORE"
    keyStoreConfig:
    path: "server.jks"
    password: "<keystore_password>"
    certificateAlias: "server"
    trustedCertificateAlias: "client"
    type: "JKS"
    hiveAgentConfig: {}
    fileSystemId: "targetHDFS"
    defaultFsOverride: "hdfs://nameservice02"
    preferredOperationMode: "LISTENING"
    note

    Update the certificateStorageType value from FILE to KEYSTORE.

    info

    Data Migrator doesn’t automatically store your TLS/SSL keystore password after adding a remote agent. Add your keystore password manually to /etc/wandisco/hivemigrator-remote-server/agent.yaml by updating the password property in the keyStoreConfig section.

  2. Restart the remote server to apply your new settings:

    service hivemigrator-remote-server restart

Update application.properties on the client side

  1. Update /etc/wandisco/hivemigrator/application.properties by adding the following settings:
    Example hivemigrator application properties
    hivemigrator.keystore.path=client.jks
    hivemigrator.keystore.password=<keystore_password>
    hivemigrator.keystore.certificateAlias=client
    hivemigrator.keystore.trustedCertificateAlias=server
    hivemigrator.keystore.type=JKS
  2. Restart the Hive Migrator service:
    service hivemigrator restart