TLS/SSL

BDD can be installed on Hadoop clusters secured with TLS/SSL.

TLS/SSL can be configured for specific Hadoop services to encrypt communication between them. If you have it enabled in Hadoop, you can enable it for BDD to encrypt its communications with your Hadoop cluster.

If your Hadoop cluster has TLS/SSL enabled, verify that your system meets the following requirements:

Kerberos is enabled for both Hadoop and BDD. Note that this isn't required, but is strongly recommended. For more information, see Kerberos.
TLS/SSL is enabled in your Hadoop cluster for the HDFS, YARN, Hive, and/or Key Management Server (KMS) services.
The KMS service is installed in your Hadoop cluster. You should have already done this as part of enabling TLS/SSL.

To enable BDD to run on a Hadoop cluster secured with TLS/SSL:

Export the public key certificates for all nodes running TLS/SSL-enabled HDFS, YARN, Hive, and/or KMS.
You can do this with the following command:
```
keytool -exportcert -alias <alias> -keystore <keystore_filename> -file <export_filename>
```
Where:
- <alias> is the certificate's alias.
- <keystore_filename> is the absolute path to your keystore file. You can find this in Cloudera Manager, Ambari, or MCS.
- <export_filename> is the name of the file you want to export the keystore to.
Copy the exported certificates to a single directory on the install machine.
The location of this directory is arbitrary, as you will define it in BDD's configuration file before installing. Don't remove this directory after installing, as you will use it if you have to update the certificates.
Verify that the password for $JAVA_HOME/jre/lib/security/cacerts is set to the default, changeit.
This is required by the installer. If it has been changed, be sure to set it back to the default.

When the installer runs, it imports the certificates to the custom truststore file, then copies the truststore to $BDD_HOME/common/security/cacerts on all BDD nodes.