Connecting to Presto Using SSL

Use the following steps to connect to Presto using Secure Socket Layer encryption (SSL).

Configure SSL for Presto

The Presto JDBC driver is Presto-jdbc-release.jar, where release is your release of the Presto JDBC driver. The driver used in these instructions was obtained from https://Prestodb.github.io/docs/current/installation/jdbc.html. The service being used by Presto is Hive.

Procedure

Ensure that Hive and Presto are already installed on your system.

Create the following properties files under /opt/Presto/Presto-server-release/etc, where release is your release of the Presto JDBC driver.

Note: Some lines that need to be added to these configuration files could not fit on one line in this document. Lines that are indented are continuations, and should be concatenated as a single line in the configuration file.

Create and add the following parameters to config.properties.

coordinator=true
node-scheduler.include-coordinator=true
http-server.https.enabled=true
http-server.https.port=port
query.max-memory=5GB
query.max-memory-per-node=1GB
discovery-server.enabled=true
discovery.uri=https://server:port
node.internal-address=server
http-server.https.keystore.path=/opt/Presto/ssl/Presto.jks
http-server.https.keystore.key=sslpassphrase
internal-communication.https.required=true
internal-communication.https.keystore.path=/opt/Presto/ssl/Presto.jks
internal-communication.https.keystore.key=sslpassphrase
http-server.https.secure-random-algorithm=SHA1PRNG

where:

server

Is the domain name or URL of the server running Presto.

port

Is the port number on which the Presto server is listening.

Create and add the following parameter to log.properties.
```
com.facebook.Presto=INFO
```
Create and add the following parameters to node.properties.
```
node.environment=mintopsblog
node.id=uuid
node.data-dir=/opt/Presto/Presto-data
```
you can generate a UUID using the command
```
uuidgen
```

Create and add the following parameters to jvm.config.

-server
-Xmx4G
-XX:+UseG1GC
-XX:G1HeapRegionSize=32M
-XX:+UseGCOverheadLimit
-XX:+ExplicitGCInvokesConcurrent
-XX:+HeapDumpOnOutOfMemoryError
-XX:+ExitOnOutOfMemoryError

Create the file hive.properties under /opt/Presto/Presto-server-release/etc/catalog, with the following parameters:
```
connector.name=hive-hadoop2
hive.metastore.uri=thrift://hiveserver:hiveport
hive.config.resources=/opt/Presto/hive/core-site.xml,
    /opt/Presto/hive/hdfs-site.xml
hive.allow-drop-table=true
```
where:

hiveserver

Is the domain name or URL of the server running Hive.

hiveport

Is the port number on which the Hive server is listening.

Create an SSL certificate according to standard SSL instructions.

For example:

sudo mkdir -p /opt/Presto/ssl
cd /opt/Presto/ssl
openssl req -newkey rsa:2048 -nodes -keyout privatekey.key
        -x509 -days 365 -out certificate.crt
        -passin pass:sslpassphrase -subj
        "/OU=Presto/CN=lnxPresto.ibi.com/"
openssl pkcs12 -inkey privatekey.key -in certificate.crt -export
        -out bundle.p12 -passin pass:sslpassphrase
        -passout pass:sslpassphrase
keytool -noprompt -importkeystore -srckeystore bundle.p12
        -srcstoretype pkcs12 -srcstorepass sslpassphrase
        -destkeystore Presto.jks -deststoretype JKS
        -deststorepass sslpassphrase

This creates the keystore file (Presto.jks).

Place the generated keystore file (Presto.jks) under directory path /opt/Presto/ssl/.
Configure the JDBC Adapter for Presto with the following options.
1. Set JDK_HOME to /usr/java/jdk1.8.0_version (where version is your version of Java 1.8) in the edaenv.cfg file.
2. Three SSL parameters must be added to the connection string in the server profile (edasprof.prf), which you can configure on the Get Data page in the Server WebFOCUS Reporting Server browser interface.
```
jdbc:Presto://server:port/hive?SSL=true&|SSLTrustStorePath=
     /usr/Presto/cert/Presto.jks&|SSLTrustStorePassword=sslpassphrase
```
  where:
  
  server
  
  Is the domain name or URL of the server running Presto.
  
  port
  
  Is the port number on which the Presto server is listening.
  
  hive
  
  Is the location of the hive service.
  
  Note: The ampersand (&) symbols in the URL must be followed by the escape character (|) in order to prevent them from being treated as the start of a FOCUS amper variable.
Copy keystore file Presto.jks that was created in step 4 to all hosts that are using the Presto JDBC Adapter to connect using SSL. This file must be named in the JDBC connection URL as shown in step 6b.

Did you find this helpful?

Yes No