Pivotal Knowledge Base


Configuring LDAPS Authentication with HiveServer2


  • PHD 3.x


Compared to LDAP authentication some more configuration steps needed for LDAPS authentication with HiverServer2.

Following are articles about how to configure HiveServer2 to use LDAP authentication as well as use beeline client. Refer to these articles to gain more background knowledge if necessary.

HiveServer2 Active Directory Authentication Guide

How to configure HiveServer2 and use beeline client on Pivotal HD cluster

More steps for LDAPS authentication

1. Get certificate (servercert.pem in the example) from LDAP server and put it onto HiverServer2 host

2. Check if Java keystore file /usr/lib/jvm/jre/lib/security/jssecacerts exists on HiverServer2 host or not. If not, make a copy from default keystore cacerts or use it directly

 [root@hdm2 ~]# cp /usr/lib/jvm/jre/lib/security/cacerts /usr/lib/jvm/jre/lib/security/jssecacerts

3. Import certificate from LDAP server to Java keystore on HiverServer2 host. Note that default password of Java keystore is changeit

[root@hdm2]# keytool -importcert -file /root/servercert.pem -alias myCA -keystore /usr/lib/jvm/jre/lib/security/jssecacerts -storepass changeit
Owner: EMAILADDRESS=sgai@pivotal.io, CN=admin.hadoop.local, OU=GSS, O=Pivotal, L=shanghai, ST=shanghai, C=CN
Issuer: EMAILADDRESS=sgai@pivotal.io, CN=admin.hadoop.local, OU=GSS, O=Pivotal, ST=shanghai, C=CN
Serial number: fc648d6e1b0ece60
Valid from: Sun Aug 09 21:22:47 EDT 2015 until: Mon Aug 08 21:22:47 EDT 2016
Certificate fingerprints:
MD5: 09:33:56:84:EC:ED:FE:8C:ED:9E:43:DD:5D:E3:2D:01
SHA1: 4E:46:7C:0E:2F:57:18:CE:6E:7D:25:4E:60:E7:E8:C5:51:0A:52:38
SHA256: 68:17:07:B9:12:0A:18:94:69:53:84:FD:17:A0:5C:17:27:F2:5B:C4:2D:03:8B:E3:A5:D0:D9:62:7A:0C:75:AF
Signature algorithm name: SHA1withRSA
Version: 3 Extensions: #1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 72 61 ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74 69 66 69 63 61 74 65 ted Certificate
#2: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F4 00 24 40 EA 71 84 72 E4 72 A6 27 58 31 5D 36 ..$@.q.r.r.'X1]6
0010: 44 63 EB 54 Dc.T
] #3: ObjectId: Criticality=false
PathLen: undefined
] #4: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B CF DE F3 17 52 51 92 94 9C 8D 0B F9 A1 EE 7A [....RQ........z
0010: 82 3D 4B E7 .=K.
] Trust this certificate? [no]: yes
Certificate was added to keystore

4. Add following line to hive-env.sh on Ambari web UI

export HADOOP_OPTS="${HADOOP_OPTS} -Djavax.net.ssl.trustStore=/usr/lib/jvm/jre/lib/security/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit"

5. Change hive.server2.authentication.ldap.url in hive-site.xml to ldaps://x.x.x.x on Ambari web UI

6. Restart Hive service

7. Try connect to HiverServer2 using beeline with credential in LDAP server

[root@hdm2 ~]# beeline
Beeline version by Apache Hive
beeline> !connect jdbc:hive2://hdm2.hadoop.local:10000/default
scan complete in 9ms
Connecting to jdbc:hive2://hdm2.hadoop.local:10000/default
Enter username for jdbc:hive2://hdm2.hadoop.local:10000/default: hdfs
Enter password for jdbc:hive2://hdm2.hadoop.local:10000/default: ********
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/phd/!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/phd/!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Connected to: Apache Hive (version
Driver: Hive JDBC (version
0: jdbc:hive2://hdm2.hadoop.local:10000/defau> show tables;
| tab_name |
| passwords |
1 row selected (0.274 seconds)


  • Avatar
    Kyle Dunn

    *Very* helpful Scott - Can we also tag this for HDP 2.4? I was able to repro fix this in that environment as well.

Powered by Zendesk