4.1. API TLS/SSL

Sqoop 2 offers an HTTP REST-like API as the mechanism by which clients can communicate with the Sqoop 2 server. The Sqoop 2 server and the Sqoop 2 shell have support for TLS/SSL.

4.1.1. Keystore Generation

Sqoop 2 uses the JKS format. Details on how to create JKS files can be found here: Generating a KeyStore and TrustStore

4.1.2. Server Configuration

All Sqoop 2 server TLS/SSL configuration occurs in the Sqoop configuration file, normally in <Sqoop Folder>/conf/sqoop.properties.

First, TLS must be enabled:

org.apache.sqoop.security.tls.enabled=true

A protocol should be specified. Please find a list of options here: Standard Algorithm Name Documentation

org.apache.sqoop.security.tls.protocol="TLSv1.2"

Configure the path to the JKS keystore:

org.apache.sqoop.security.tls.keystore=/Users/abe/mykeystore.jks

Configure the keystore password and the key manager password:

org.apache.sqoop.security.tls.keystore_password=keystorepassword
org.apache.sqoop.security.tls.keymanager_password=keymanagerpassword

Alternatively, the password can be specified using generators.

Generators are commands that the Sqoop propess will execute, and then retrieve the password from standard out. The generator will only be run if no standard password is configured.

org.apache.sqoop.security.tls.keystore_password_generator=echo keystorepassword
org.apache.sqoop.security.tls.keymanager_password=echo keymanagerpassword

4.1.3. Client/Shell Configuration

When using TLS on the Sqoop 2 server, especially with a self-signed certificate, it may be useful to specify a truststore for the client/shell to use.

The truststore for the shell is configured via a command. In practice, it may be useful to put this command inside the system sqoop rc file (/etc/sqoop2/conf/sqoop2rc) or the user’s rc file (~/.sqoop2rc).

sqoop:000> set truststore --truststore /Users/abefine/keystore/node2.truststore
Truststore set successfully

You may also include a password. Passwords are not required for truststores.

sqoop:000> set truststore --truststore /Users/abefine/keystore/node2.truststore --truststore-password changeme
Truststore set successfully

You may also use a password generator.

sqoop:000> set truststore --truststore /Users/abefine/keystore/node2.truststore --truststore-password-generator "echo changeme"
Truststore set successfully