NihalJain commented on code in PR #5383: URL: https://github.com/apache/hbase/pull/5383#discussion_r1316001563
########## src/main/asciidoc/_chapters/zookeeper.adoc: ########## @@ -441,7 +441,70 @@ This would avoid the need for a separate Hadoop jar that fixes link:https://issu ==== Elimination of `kerberos.removeHostFromPrincipal` and`kerberos.removeRealmFromPrincipal` +== TLS connection to ZooKeeper +Apache ZooKeeper also supports SSL/TLS client connections to encrypt the data in transmission. This is particularly +useful when the ZooKeeper ensemble is running on a host different from HBase and data has to be sent +over the wire. + +=== Java system properties + +The ZooKeeper client supports the following Java system properties to set up TLS connection: + +[source,bourne] +---- +zookeeper.client.secure=true +zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty +zookeeper.ssl.keyStore.location="/path/to/your/keystore" +zookeeper.ssl.keyStore.password="keystore_password" +zookeeper.ssl.trustStore.location="/path/to/your/truststore" +zookeeper.ssl.trustStore.password="truststore_password" +---- + +Setting up KeyStore is optional and only required if ZooKeeper server requests for client certificate. + +Find more detailed information in the link:https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide[ZooKeeper SSL User Guide]. + +[WARNING] +These're standard Java properties which should be set in the HBase command line and are effective in +the entire Java process. All ZooKeeper clients running in the same process will pick them up including +co-processors. + +[NOTE] +Since ZooKeeper version 3.8 the following two properties are useful to store the +keystore and truststore passwords in protected text files rather than exposing them in the command line. + +[source,bourne] +---- +zookeeper.ssl.keyStore.passwordPath=/path/to/secure/file +zookeeper.ssl.trustStore.passwordPath=/path/to/secure/file +---- + +=== HBase configuration + +Since HBase version 2.4.18 ZooKeeper client TLS settings are also available in _hbase-site.xml_ via Review Comment: Is it worth mentioning the JIRA# so that users get a full list of versions where the fix landed? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org