Compared to LDAP authentication, more configuration steps are required for LDAPS authentication with HiverServer2.

For more information on how to configure HiveServer2 to use LDAP authentication as well as use beeline client, refer to the articles below: 

• HiveServer2 Active Directory Authentication Guide
• How to configure HiveServer2 and use beeline client on Pivotal HD cluster

Follow the instructions below to resolve the issue:

1. Retrieve the certificate (in this case, servercert.pem) from LDAP server and put it onto HiverServer2 host.

2. Check if the Java keystore file /usr/lib/jvm/jre/lib/security/jssecacerts exists on the HiverServer2 host or not. If it does not exist, make a copy from the default keystore cacerts.

 [root@hdm2 ~]# cp /usr/lib/jvm/jre/lib/security/cacerts /usr/lib/jvm/jre/lib/security/jssecacerts

3. Import the certificate from the LDAP server to the Java keystore on HiverServer2 host. Note that default password of Java keystore is changeit.

[root@hdm2]# keytool -importcert -file /root/servercert.pem -alias myCA -keystore /usr/lib/jvm/jre/lib/security/jssecacerts -storepass changeit
Owner: [email protected], CN=admin.hadoop.local, OU=GSS, O=Pivotal, L=shanghai, ST=shanghai, C=CN
Issuer: [email protected], CN=admin.hadoop.local, OU=GSS, O=Pivotal, ST=shanghai, C=CN
Serial number: fc648d6e1b0ece60
Valid from: Sun Aug 09 21:22:47 EDT 2015 until: Mon Aug 08 21:22:47 EDT 2016
Certificate fingerprints:
 MD5: 09:33:56:84:EC:ED:FE:8C:ED:9E:43:DD:5D:E3:2D:01
 SHA1: 4E:46:7C:0E:2F:57:18:CE:6E:7D:25:4E:60:E7:E8:C5:51:0A:52:38
 SHA256: 68:17:07:B9:12:0A:18:94:69:53:84:FD:17:A0:5C:17:27:F2:5B:C4:2D:03:8B:E3:A5:D0:D9:62:7A:0C:75:AF
 Signature algorithm name: SHA1withRSA
 Version: 3
Extensions:
#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 72 61 ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74 69 66 69 63 61 74 65 ted Certificate

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F4 00 24 40 EA 71 84 72 E4 72 A6 27 58 31 5D 36 [email protected].'X1]6
0010: 44 63 EB 54 Dc.T
]
]
#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
 CA:false
 PathLen: undefined
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B CF DE F3 17 52 51 92 94 9C 8D 0B F9 A1 EE 7A [....RQ........z
0010: 82 3D 4B E7 .=K.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
[root@hdm2]# 

4. Add the following line to hive-env.sh on the Ambari web UI.

export HADOOP_OPTS="${HADOOP_OPTS} -Djavax.net.ssl.trustStore=/usr/lib/jvm/jre/lib/security/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit"

5. Change hive.server2.authentication.ldap.url in hive-site.xml to ldaps://x.x.x.x on the Ambari web UI.

6. Restart Hive services. 

7. Try connect to HiverServer2 using beeline with the credential in the LDAP server. 

[root@hdm2 ~]# beeline
Beeline version 0.14.0.3.0.1.0-1 by Apache Hive
beeline> !connect jdbc:hive2://hdm2.hadoop.local:10000/default
scan complete in 9ms
Connecting to jdbc:hive2://hdm2.hadoop.local:10000/default
Enter username for jdbc:hive2://hdm2.hadoop.local:10000/default: hdfs
Enter password for jdbc:hive2://hdm2.hadoop.local:10000/default: ********
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/phd/3.0.1.0-1/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/phd/3.0.1.0-1/hive/lib/hive-jdbc-0.14.0.3.0.1.0-1-standalone.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Connected to: Apache Hive (version 0.14.0.3.0.1.0-1)
Driver: Hive JDBC (version 0.14.0.3.0.1.0-1)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://hdm2.hadoop.local:10000/defau> show tables;
+------------+--+
| tab_name |
+------------+--+
| passwords |
+------------+--+
1 row selected (0.274 seconds)