Creating an EMR with Presto SSL

Grant Young — Tue, 26 Nov 2019 02:13:40 +0000

This article focuses on adding SSL to an existing Presto environment. The configuration of Presto and a Hive metastore is assumed as complete.
We also cover how to connect to it with JDBC.

We had been using Presto without SSL for a while, however, we needed to connect our MicroStrategy analytics platform to Presto and that required the use of a SSL connection.

Create self signed cert
EMR Security Configuration
Create EMR
Connect and download truststore
Connect using JDBC

Create Self Signed Cert

Follow the instructions here to create a self signed certificate.
I also needed a Route53 DNS alias address for the EMR, presto.mydomain.com. This allows me to configure the JDBC client to use presto.mydomain.com as the URL without having to update the client when I rebuild the EMR.
The EMR will update the Route53 entry with its master node IP during bootstrap.
I've extended the certificate request to include this extra domain.

cp /etc/ssl/openssl.cnf .
echo '[ subject_alt_name ]' >> openssl.cnf
echo 'subjectAltName = DNS:presto.mydomain.com, DNS:*.us-west-2.compute.internal'>> openssl.cnf
openssl req -x509 -newkey rsa:1024 -keyout privateKey.pem -out certificateChain.pem -days 365 -nodes -config openssl.cnf -extensions subject_alt_name -subj '/C=US/ST=Washington/L=Seattle/O=MyOrg/OU=MyDept/CN=*.us-west-2.compute.internal'
cp certificateChain.pem trustedCertificates.pem
zip -r -X prestosslcerts.zip certificateChain.pem privateKey.pem trustedCertificates.pem

Now upload the cert to a S3 location the EMR can read from.

aws s3 cp prestosslcerts.zip s3://my-emr-bucket/prestosslcerts.zip

EMR Security Configuration

Create a new EMR Security Configuration that uses the certificate zip for In-transit encryption.

Create EMR

Create your EMR but have it use your new security configuration.

Connect and download truststore

SSH to your EMR master node

[hadoop@ip-10-100-10-10 ~]$ cat /etc/hadoop/conf/ssl-client.xml
<configuration>

  <property>
    <name>ssl.client.keystore.keypassword</name>
    <value>xxxxxxxxxx</value>
  </property>

  <property>
    <name>ssl.client.truststore.reload.interval</name>
    <value>10000</value>
  </property>

  <property>
    <name>ssl.client.keystore.location</name>
    <value>/usr/share/aws/emr/security/conf/keystore.jks</value>
  </property>

  <property>
    <name>ssl.client.truststore.password</name>
    <value>xxxxxxxxxx</value>
  </property>

  <property>
    <name>ssl.client.truststore.type</name>
    <value>jks</value>
  </property>

  <property>
    <name>ssl.client.truststore.location</name>
    <value>/usr/share/aws/emr/security/conf/truststore.jks</value>
  </property>

  <property>
    <name>ssl.client.keystore.password</name>
    <value>xxxxxxxxxx</value>
  </property>

  <property>
    <name>ssl.client.keystore.type</name>
    <value>jks</value>
  </property>
</configuration>

Note the following:

ssl.client.truststore.location
ssl.client.truststore.password

The same truststore.jks file can be used to connect to any EMR as long as they are using the same Security Configuration.

View truststore

Optional: Use the command below to view the truststore certificate

keytool -list -v -keystore /usr/share/aws/emr/security/conf/truststore.jks
[ssl.client.truststore.password]

Change truststore password

Optional: Should you require, the truststore password can be changed. This is useful if you want to download the cert again without having to update client passwords.

cp /usr/share/aws/emr/security/conf/truststore.jks /root/truststore.jk
keytool -storepasswd -keystore /root/truststore.jks 
Enter keystore password:  <== ssl.client.truststore.password
New keystore password:   <== user specified password

Connect using JDBC

Copy the truststore.jks file from the truststore.location, usually /usr/share/aws/emr/security/conf/truststore.jks to your client.

Either download the presto jdbc driver https://prestosql.io/download.html
Or copy from the EMR /usr/lib/presto/presto-jdbc/

The Connection URL will look like
jdbc:presto://presto.mydomain.com:8446/hive/product_usage?SSL=true&SSLTrustStorePath=<local/path/truststore.jks>&SSLTrustStorePassword=<ssl.client.truststore.password>;

Using SQL Workbench/J

Open SQL Workbench/J
File > Manage Drivers

Create a new entry
Name: Presto JDBC Driver
Library: C:\local\path\presto-jdbc-0.228.jar
OK

File > Connect window

Name: PrestoSSL
Driver: Presto JDBC Driver
URL: jdbc:presto://presto.mydomain.com:8446/catalog/schema
Username: hadoop
Password: blank

Extended Properties

SSL true
SSLTrustStorePath C:\local\path\truststore.jks
SSLTrustStorePassword [ssl.client.truststore.password]

DEV Community: Grant Young