On this page

    Configuring Wire Encryption

    This topic describes how to configure for wire encryption.

    Wire encryption provides confidentiality and privacy to two parties communicating over a public network. The two parties may also need to prove their identity to each other: authentication is the process of proving identity.

    In Dremio, Transport Layer Security (TLS), previously called Secure Socket Layer, is the protocol used to establish an encrypted communication channel between two parties.

    Dremio supports the following TLS wire encryption methods:

    • Full Wire Encryption - Enables all TLS communicaton.
    • Web Server Encryption - Enables HTTPS on the Dremio’s web server.
    • Encryption for Arrow Flight (Including the ODBC Driver for Arrow Flight SQL) - Enables TLS communication between Arrow Flight client applications and a Dremio cluster
    • Encryption for JDBC Clients and Power BI Clients - Enables TLS communication between JDBC client applications and a Dremio cluster, or between Power BI client applications and a Dremio cluster.
    • Intracluster Encryption - Enables TLS communication between nodes in a Dremio cluster.

    note:

    All Dremio clusters must have the following configured:

    • One or more coordinator nodes with the master-coordinator role. See High Availability for a multiple coordinator node environment.
    • One or more executor nodes.

    In a cluster environment (not a single node install), a node can only have a single role: as either a master-coordinator or an executor. In addition, a coordinator-only role is not supported. A coordinator node refers to a node with the master-coordinator role enabled.

    Prerequisite

    Prior to configuring your Dremio environment for wire encryption, the file permissions on the keystore, truststore, and dremio.conf files must be set correctly. The following file permissions must be set:

    • keystore permission: 0440
    • truststore permission: 0444
    • dremio.conf file permission: 0444

    Full Wire Encryption enterprise

    To configure Dremio to use encryption for all web server, client-server, and intracluster communication using the same keystore and truststore, set the following properties in the dremio.conf file on all of your Dremio coordinator and executor nodes in the cluster.

    Full Wire Encryption Configuration

    javax.net.ssl.keyStoreType: "type" # optional; default: JKS
    javax.net.ssl.keyStore: "path/to/keystore/jks/file"
    javax.net.ssl.keyStorePassword: "keystorePassword"
    javax.net.ssl.keyPassword: "key password"
    javax.net.ssl.trustStoreType: "type" # optional; default: JKS
    javax.net.ssl.trustStore: "path/to/truststore/jks/file"
    javax.net.ssl.trustStorePassword: "trustStorePassword"
    
    services.coordinator.client-endpoint.ssl.enabled: true
    services.coordinator.client-endpoint.ssl.auto-certificate.enabled: false
    services.coordinator.web.ssl.enabled: true
    services.coordinator.web.ssl.auto-certificate.enabled: false
    services.fabric.ssl.enabled: true
    services.fabric.ssl.auto-certificate.enabled: false
    

    Web Server Encryption

    To configure the Dremio web server to use HTTPS, set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator nodes.

    Web Server Encryption Configuration

    services.coordinator.web.ssl.enabled: true
    services.coordinator.web.ssl.auto-certificate.enabled: false
    
    services.coordinator.web.ssl.keyStore: "path/to/keystore/jks/file",
    services.coordinator.web.ssl.keyStorePassword: "keystorePassword",
    services.coordinator.web.ssl.trustStore: "path/to/trustStore", (Optional)
    services.coordinator.web.ssl.trustStorePassword: "trustStorePassword" (Optional)
    

    Generating a self-signed certificate

    warning:

    Using a self-signed certificate in production is not recommended for security reasons. Most browsers will also warn you if Dremio’s web server is configured with a self-signed certificate.

    To configure Dremio to use self-signed certificates for Dremio web server encryption, add the following parameters to dremio.conf on all of your coordinator nodes.

    services.coordinator.web.ssl.enabled: true
    services.coordinator.web.ssl.auto-certificate.enabled: true
    

    Encryption for Arrow Flight (Including the ODBC Driver for Arrow Flight SQL) enterprise

    Transport Layer Security (TLS) communication must be configured for encrypting communication between Arrow Flight client applications and a Dremio cluster.

    To enable client encryption, add these properties to the dremio.conf file on all of your coordinator nodes:

    services.flight.ssl.enabled: true
    services.flight.ssl.auto-certificate.enabled: false
    services.flight.ssl.keyStoreType: "jks"
    services.flight.ssl.keyStore: "/path/to/serverKeyStore.jks"
    services.flight.ssl.keyStorePassword: "<password for your keystore>"
    services.flight.ssl.keyPassword: "<password for your key>"
    services.flight.ssl.trustStoreType: "jks"
    services.flight.ssl.trustStore: "/path/to/serverTrustStore.jks"
    services.flight.ssl.trustStorePassword: "<password for your truststore>"
    

    Encryption for JDBC Clients and Power BI Clients That Use the Legacy ODBC Driver enterprise

    Transport Layer Security (TLS) communication is supported for encrypting communication between JDBC client applications and a Dremio cluster, or between Power BI client applications that use the legacy ODBC driver and a Dremio cluster.

    To configure Dremio to use TLS for client-server encryption:

    1. Set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator nodes.
    2. Download, install, and configure a driver for your client application, ensuring that you configure parameters required for wire encyption. See Drivers for specific driver information.

    To enable encryption in Dremio, add the following keyStore and trustStore properties to the dremio.conf file on all of your Dremio coordinator nodes:

    services.coordinator.client-endpoint.ssl.enabled: true
    services.coordinator.client-endpoint.ssl.auto-certificate.enabled: false
    
    services.coordinator.client-endpoint.ssl.keyStoreType: "type" # optional; default: JKS
    services.coordinator.client-endpoint.ssl.keyStore: "path/to/keystore/jks/file"
    services.coordinator.client-endpoint.ssl.keyStorePassword: "file password"
    services.coordinator.client-endpoint.ssl.keyPassword: "key password"
    services.coordinator.client-endpoint.ssl.trustStoreType: "type" # optional; default: JKS
    services.coordinator.client-endpoint.ssl.trustStore: "path/to/truststore/jks/file"
    services.coordinator.client-endpoint.ssl.trustStorePassword: "file password"
    

    Generating a self-signed certificate

    warning:

    Using a self-signed certificate in production is not recommended for security reasons.

    To configure Dremio to use self-signed certificates for client-server encryption, add the following parameters to dremio.conf on your coordinator nodes.

    services.coordinator.client-endpoint.ssl.enabled: true
    services.coordinator.client-endpoint.ssl.auto-certificate.enabled: true
    

    Intracluster Encryption enterprise

    Transport Layer Security (TLS) communication is support for encrypting communication between Dremio nodes in a cluster. This communication is between coordinator-executor and executor-executor nodes.

    To configure Dremio to use TLS for intracluster encryption, set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator and executor nodes.

    Intracluster Encryption Configuration

    services.fabric.ssl.enabled: true
    services.fabric.ssl.auto-certificate.enabled: false
    
    services.fabric.ssl.keyStoreType: "type" # optional; default: JKS
    services.fabric.ssl.keyStore: "path/to/keystore/jks/file"
    services.fabric.ssl.keyStorePassword: "file password"
    services.fabric.ssl.keyPassword: "key password"
    services.fabric.ssl.trustStoreType: "type" # optional; default: JKS
    services.fabric.ssl.trustStore: "path/to/truststore/jks/file"
    services.fabric.ssl.trustStorePassword: "file password"
    
    

    Generating a self-signed certificate

    warning:

    Using a self-signed certificate in production is not recommended for security reasons.

    To configure Dremio to use self-signed certificates for intracluster encryption, add the following parameters to dremio.conf on all of your coordinator and executor nodes.

    services.fabric.ssl.enabled: true
    services.fabric.ssl.auto-certificate.enabled: true