Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
In-transit encryption in HiveServer2 - Amazon EMR

In-transit encryption in HiveServer2

PDFRSS

Starting with Amazon EMR release 6.9.0, HiveServer2 (HS2) is TLS/SSL-enabled as part of In-transit encryption in HiveServer2 security configuration. This affects how you connect to HS2 running on an Amazon EMR cluster with in-transit encryption enabled. To connect to HS2, you must modify the TRUSTSTORE_PATH and TRUSTSTORE_PASSWORD parameter values in the JDBC URL. The following URL is an example of a JDBC connection for HS2 with the required parameters: 

jdbc:hive2://HOST_NAME:10000/default;ssl=true;sslTrustStore=TRUSTSTORE_PATH;trustStorePassword=TRUSTSTORE_PASSWORD

Use the appropriate instuctions for on-cluster or off-cluster HiveServer2 encryption below.

On-cluster HS2 access

If you are accessing HiveServer2 using the Beeline client after you SSH to the primary node, then reference /etc/hadoop/conf/ssl-server.xml to find the TRUSTSTORE_PATH and TRUSTSTORE_PASSWORD parameter values using configuration ssl.server.truststore.location and ssl.server.truststore.password.

The following example commands can help you retrieve these configurations:

TRUSTSTORE_PATH=$(sed -n '/ssl.server.truststore.location/,+2p' /etc/hadoop/conf/ssl-server.xml | awk -F "[><]" '/value/{print $3}')
TRUSTSTORE_PASSWORD=$(sed -n '/ssl.server.truststore.password/,+2p' /etc/hadoop/conf/ssl-server.xml | awk -F "[><]" '/value/{print $3}')
Off-cluster HS2 access

If you are accessing HiveServer2 from a client outside the Amazon EMR cluster. you can use one of the following approaches to get the TRUSTSTORE_PATH and TRUSTSTORE_PASSWORD:

  • Convert the PEM file that was created during security configuration to a JKS file and use the same in the JDBC connection URL. For example, with openssl and keytool, use the following commands:

    openssl pkcs12 -export -in trustedCertificates.pem -inkey privateKey.pem -out trustedCertificates.p12 -name "certificate"
keytool -importkeystore -srckeystore trustedCertificates.p12 -srcstoretype pkcs12 -destkeystore trustedCertificates.jks

  • Alternatively, reference /etc/hadoop/conf/ssl-server.xml to find the TRUSTSTORE_PATH and TRUSTSTORE_PASSWORD parameter values using configuration ssl.server.truststore.location and ssl.server.truststore.password. Download the truststore file to the client machine and use the path on the client machine as the TRUSTSTORE_PATH.

    For more information on accessing applications from a client outside of the Amazon EMR cluster, see Use the Hive JDBC driver.

anchoranchor

If you are accessing HiveServer2 using the Beeline client after you SSH to the primary node, then reference /etc/hadoop/conf/ssl-server.xml to find the TRUSTSTORE_PATH and TRUSTSTORE_PASSWORD parameter values using configuration ssl.server.truststore.location and ssl.server.truststore.password.

The following example commands can help you retrieve these configurations:

TRUSTSTORE_PATH=$(sed -n '/ssl.server.truststore.location/,+2p' /etc/hadoop/conf/ssl-server.xml | awk -F "[><]" '/value/{print $3}')
TRUSTSTORE_PASSWORD=$(sed -n '/ssl.server.truststore.password/,+2p' /etc/hadoop/conf/ssl-server.xml | awk -F "[><]" '/value/{print $3}')

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.