Connecting to Impala with TLS (SSL) Enabled

You can connect to the Impala data source with TLS/SSL network-level encryption to secure your data while working with your data source.


For Impala:

  • Impala's TLS configuration requires an x509 certificate that will identify the Impala daemon to clients during TLS connections. Production usage of TLS usually implies purchasing the necessary certificates from a commercial Certificate Authority (CA), while development environments can use self-signed certificates. If you have either a rootCA from the trusted CA or a self-signed certificate in PEM format you can verify your Impala TLS configuration using the openssl utility
openssl s_client -connect impala_host:port -CAfile certificate.pem

For Zoomdata Server/Impala Connector:

  • There is no particular configuration related to TLS from the point of view of Zoomdata components. However, the client must have a Java truststore with a correct certificate (for example, a root certificate provided by some CA) installed. This means that the truststore must be accessible to the Zoomdata Server/Impala connector.
  • To list all the certificates installed in the Java truststore, use the keytool utility:
    keytool -v -list -keystore path_to_truststore  -storetype jks -storepasstruststore_password

Once you have the Java truststore configured, enabling SSL from Zoomdata’s perspective is a matter of composing the correct JDBC URL.

Creating a JDBC URL with the TLS Parameters

To specify the TLS-related parameters, use the following template for a JDBC URL:

jdbc:hive2:// impala_host : port /;ssl=true;sslTrustStore= path_to_truststore ;trustStorePassword= truststore_password ;auth=noSasl


  • ssl=true is a required parameter for enabling TLS encryption.

  • path_to_truststore is the path to a Java truststore which contains either a certificate issued by a trusted CA or a self-signed certificate (not recommended and shouldn’t be used in a production environment).

Make sure that the Zoomdata Server/Connector process has "Read" access privileges to the truststore file.
  • truststore_password is the password to access the truststore .
  • auth=noSasl is a required parameter when no authentication or simple user/password authentication is used.

Using TLS Encryption with Kerberos Authentication

Refer to Connecting to a Kerberized CDH Cluster topic for more details on enabling Kerberos authentication. The template for a JDBC URL containing both TLS and Kerberos parameters is as follows:

jdbc:hive2:// impala_host : port /;principal= impala_principal ;ssl=true;sslTrustStore= path_to_truststore ;trustStorePassword= truststore_password
Keep in mind that you don't have to specify the auth=noSasl parameter when using Kerberos authentication.