Using Wire Encryption

Wire encryption provides confidentiality and privacy to two parties communicating over a public network. The two parties may also need to prove their identity to each other: authentication is the process of proving identity.

In Dremio, Transport Layer Security (TLS), previously called Secure Socket Layer, is the protocol used to establish an encrypted communication channel between two parties.

Dremio supports using TLS for the following:

  • Full Wire Encryption - Enables all TLS communicaton.
  • Web Server Encryption - Enables HTTPS on the Dremio's web server.
  • ODBC/JDBC Client Encryption - Enables TLS communication between ODBC / JDBC clients and the Dremio server.
  • Intracluster Encryption - Enables TLS communication between nodes in a Dremio cluster.

[info] Permissions

The file permissions on the keystore, truststore, and dremio.conf files must be set correctly.

  • keystore permission: 0440
  • trustore permission: 0444
  • dremio.conf file permission: 0444

Full Wire Encryption (Enterprise Edition only)

To configure Dremio to use encryption for all web server, client-server, and intracluster communication using the same keystore and truststore, set the following properties in the dremio.conf file on all of your Dremio
coordinator and executor nodes in the cluster.

[info] Full Wire encryption is a Enterprise Edition feature only.

Full Wire Encryption Configuration

javax.net.ssl.keyStoreType: "type" # optional; default: JKS
javax.net.ssl.keyStore: "path/to/keystore/jks/file"
javax.net.ssl.keyStorePassword: "keystorePassword"
javax.net.ssl.keyPassword: "key password"
javax.net.ssl.trustStoreType: "type" # optional; default: JKS
javax.net.ssl.trustStore: "path/to/truststore/jks/file"
javax.net.ssl.trustStorePassword: "trustStorePassword"


services.coordinator.client-endpoint.ssl.enabled: true
services.coordinator.client-endpoint.ssl.auto-certificate.enabled: false
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false
services.fabric.ssl.enabled: true
services.fabric.ssl.auto-certificate.enabled: false

Web Server Encryption

To configure the Dremio web server to use HTTPS, set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator nodes.

Web Server Encryption Configuration

services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false

services.coordinator.web.ssl.keyStore: "path/to/keystore/jks/file",
services.coordinator.web.ssl.keyStorePassword: "keystorePassword",
services.coordinator.web.ssl.trustStore: "path/to/trustStore", (Optional)
services.coordinator.web.ssl.trustStorePassword: "trustStorePassword" (Optional)

Generating a self-signed certificate

[warning] WARNING: Using a self-signed certificate in production is not recommended for security reasons. Most browsers will also warn you if Dremio's web server is configured with a self-signed certificate.

To configure Dremio to use self-signed certificates for Dremio web server encryption, add the following parameters to dremio.conf on all of your coordinator nodes.

services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: true

ODBC/JDBC Client Encryption (Enterprise Edition only)

Transport Layer Security (TLS) communication is supported for encrypting communication between ODBC/JDBC client applications and the Dremio server.

[info] ODBC/JDBC encryption is a Enterprise Edition feature only.

[warning] Not Supported Notice

The Microsoft Power BI Desktop client application is not supported.

To configure Dremio to use TLS for client-server encryption:

  1. Set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator nodes.
  2. Setup and configure the ODBC/JDBC driver for your client application including configuration for Dremio connection along with the OJBC/JDBC parameters for Dremio wire encryption.
    • See Drivers for more information about downloading and installing drivers.
    • See ODBC and JDBC for specific driver information.
    • See your Client application for client information.

ODBC/JDBC Dremio Configuration

To enable ODBC/JDBC client encryption for Dremio, add the following keyStore and trustStore properties to the dremio.conf file on all of your Dremio coordinator nodes:

services.coordinator.client-endpoint.ssl.auto-certificate.enabled: false

services.coordinator.client-endpoint.ssl.keyStoreType: "type" # optional; default: JKS
services.coordinator.client-endpoint.ssl.keyStore: "path/to/keystore/jks/file"
services.coordinator.client-endpoint.ssl.keyStorePassword: "file password"
services.coordinator.client-endpoint.ssl.keyPassword: "key password"
services.coordinator.client-endpoint.ssl.trustStoreType: "type" # optional; default: JKS
services.coordinator.client-endpoint.ssl.trustStore: "path/to/truststore/jks/file"
services.coordinator.client-endpoint.ssl.trustStorePassword: "file password"

Generating a self-signed certificate

[warning] WARNING: Using a self-signed certificate in production is not recommended for security reasons.

To configure Dremio to use self-signed certificates for client-server encryption, add the following parameters to dremio.conf on your coordinator nodes.

services.coordinator.client-endpoint.ssl.enabled: true
services.coordinator.client-endpoint.ssl.auto-certificate.enabled: true

Intracluster Encryption (Enterprise Edition only)

Transport Layer Security (TLS) communication is support for encrypting communication between Dremio nodes in a cluster. This communication is between coordinator-coordinator, coordinator-executor, and executor-executor nodes.

[info] Intracluster encryption is a Enterprise Edition feature only.

To configure Dremio to use TLS for intracluster encryption, set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator and executor nodes.

Intracluster Encryption Configuration

services.fabric.ssl.enabled: true
services.fabric.ssl.auto-certificate.enabled: false

services.fabric.ssl.keyStoreType: "type" # optional; default: JKS
services.fabric.ssl.keyStore: "path/to/keystore/jks/file"
services.fabric.ssl.keyStorePassword: "file password"
services.fabric.ssl.keyPassword: "key password"
services.fabric.ssl.trustStoreType: "type" # optional; default: JKS
services.fabric.ssl.trustStore: "path/to/truststore/jks/file"
services.fabric.ssl.trustStorePassword: "file password"

Generating a self-signed certificate

[warning] WARNING: Using a self-signed certificate in production is not recommended for security reasons.

To configure Dremio to use self-signed certificates for intracluster encryption, add the following parameters to dremio.conf on all of your coordinator and executor nodes.

services.fabric.ssl.enabled: true
services.fabric.ssl.auto-certificate.enabled: true

results matching ""

    No results matching ""