DEV Community

Cover image for Creating an EMR with Presto SSL
Grant Young
Grant Young

Posted on

Creating an EMR with Presto SSL

#aws #devops #emr #presto

This article focuses on adding SSL to an existing Presto environment. The configuration of Presto and a Hive metastore is assumed as complete.
We also cover how to connect to it with JDBC.

We had been using Presto without SSL for a while, however, we needed to connect our MicroStrategy analytics platform to Presto and that required the use of a SSL connection.

  • Create self signed cert
  • EMR Security Configuration
  • Create EMR
  • Connect and download truststore
  • Connect using JDBC

Create Self Signed Cert

Follow the instructions here to create a self signed certificate.
I also needed a Route53 DNS alias address for the EMR, presto.mydomain.com. This allows me to configure the JDBC client to use presto.mydomain.com as the URL without having to update the client when I rebuild the EMR.
The EMR will update the Route53 entry with its master node IP during bootstrap.
I've extended the certificate request to include this extra domain.

cp /etc/ssl/openssl.cnf .
echo '[ subject_alt_name ]' >> openssl.cnf
echo 'subjectAltName = DNS:presto.mydomain.com, DNS:*.us-west-2.compute.internal'>> openssl.cnf
openssl req -x509 -newkey rsa:1024 -keyout privateKey.pem -out certificateChain.pem -days 365 -nodes -config openssl.cnf -extensions subject_alt_name -subj '/C=US/ST=Washington/L=Seattle/O=MyOrg/OU=MyDept/CN=*.us-west-2.compute.internal'
cp certificateChain.pem trustedCertificates.pem
zip -r -X prestosslcerts.zip certificateChain.pem privateKey.pem trustedCertificates.pem
Enter fullscreen mode Exit fullscreen mode

Now upload the cert to a S3 location the EMR can read from.

aws s3 cp prestosslcerts.zip s3://my-emr-bucket/prestosslcerts.zip
Enter fullscreen mode Exit fullscreen mode

EMR Security Configuration

Create a new EMR Security Configuration that uses the certificate zip for In-transit encryption.
EMR Security Configuration

Create EMR

Create your EMR but have it use your new security configuration.

Connect and download truststore

SSH to your EMR master node

[hadoop@ip-10-100-10-10 ~]$ cat /etc/hadoop/conf/ssl-client.xml
<configuration>

  <property>
    <name>ssl.client.keystore.keypassword</name>
    <value>xxxxxxxxxx</value>
  </property>

  <property>
    <name>ssl.client.truststore.reload.interval</name>
    <value>10000</value>
  </property>

  <property>
    <name>ssl.client.keystore.location</name>
    <value>/usr/share/aws/emr/security/conf/keystore.jks</value>
  </property>

  <property>
    <name>ssl.client.truststore.password</name>
    <value>xxxxxxxxxx</value>
  </property>

  <property>
    <name>ssl.client.truststore.type</name>
    <value>jks</value>
  </property>

  <property>
    <name>ssl.client.truststore.location</name>
    <value>/usr/share/aws/emr/security/conf/truststore.jks</value>
  </property>

  <property>
    <name>ssl.client.keystore.password</name>
    <value>xxxxxxxxxx</value>
  </property>

  <property>
    <name>ssl.client.keystore.type</name>
    <value>jks</value>
  </property>
</configuration>
Enter fullscreen mode Exit fullscreen mode

Note the following:

  • ssl.client.truststore.location
  • ssl.client.truststore.password

The same truststore.jks file can be used to connect to any EMR as long as they are using the same Security Configuration.

View truststore

Optional: Use the command below to view the truststore certificate

keytool -list -v -keystore /usr/share/aws/emr/security/conf/truststore.jks
[ssl.client.truststore.password]
Enter fullscreen mode Exit fullscreen mode

Change truststore password

Optional: Should you require, the truststore password can be changed. This is useful if you want to download the cert again without having to update client passwords.

cp /usr/share/aws/emr/security/conf/truststore.jks /root/truststore.jk
keytool -storepasswd -keystore /root/truststore.jks 
Enter keystore password:  <== ssl.client.truststore.password
New keystore password:   <== user specified password
Enter fullscreen mode Exit fullscreen mode

Connect using JDBC

Copy the truststore.jks file from the truststore.location, usually /usr/share/aws/emr/security/conf/truststore.jks to your client.

Either download the presto jdbc driver https://prestosql.io/download.html
Or copy from the EMR /usr/lib/presto/presto-jdbc/

The Connection URL will look like
jdbc:presto://presto.mydomain.com:8446/hive/product_usage?SSL=true&SSLTrustStorePath=<local/path/truststore.jks>&SSLTrustStorePassword=<ssl.client.truststore.password>;

Using SQL Workbench/J

Open SQL Workbench/J
File > Manage Drivers

  • Create a new entry
  • Name: Presto JDBC Driver
  • Library: C:\local\path\presto-jdbc-0.228.jar
  • OK

File > Connect window

  • Name: PrestoSSL
  • Driver: Presto JDBC Driver
  • URL: jdbc:presto://presto.mydomain.com:8446/catalog/schema
  • Username: hadoop
  • Password: blank

Extended Properties

  • SSL true
  • SSLTrustStorePath C:\local\path\truststore.jks
  • SSLTrustStorePassword [ssl.client.truststore.password]

Top comments (0)

Read next

karthiksakthiveltechie profile image

Amazon Redshift introduces query identifiers for improved query performance monitoring.

Karthik Sakthivel -

ovrobin profile image

How to Host a Static Website Using AWS CLI in Less Than 5 Minutes

Victor Robin -

bennyfmo_237 profile image

Step-by-Step Guide to EC2 Auto Scaling and Load Balancing on AWS

benny fmo -

dilanka-rathnasiri profile image

Kubernetes Pods

Dilanka Rathnasiri -