Amazon EMR
Amazon EMR Release Guide

Using SSL/TLS and Configuring LDAPS with Presto on Amazon EMR

With Amazon EMR release version 5.6.0 and later, you can enable SSL/TLS to help secure internal communication between Presto nodes. You do this by setting up a security configuration for in-transit encryption. For more information, see Encryption Options and Use Security Configurations to Set Up Cluster Security in the Amazon EMR Management Guide.

When you use a security configuration with in-transit encryption, Amazon EMR does the following for Presto:

  • Distributes the encryption artifacts, or certificates, that you specify for in-transit encryption throughout the Presto cluster. For more information, see Providing Certificates for In-Transit Data Encryption.

  • Sets the following properties using the presto-config configuration classification, which corresponds to the file for Presto:

    • Sets http-server.http.enabled to false on core and task nodes, which disables HTTP in favor of HTTPS.

    • Sets http-server.https.* values. For configuration details, see LDAP Authentication in Presto documentation.

In addition, with Amazon EMR release version 5.10.0 and later, you can set up LDAP authentication for client connections to the Presto coordinator using HTTPS. This setup uses secure LDAP (LDAPS). TLS must be enabled on your LDAP server, and the Presto cluster must use a security configuration with in-transit data encryption enabled. Additional configuration is required. The configuration options are different depending on the release version of Amazon EMR that you use. For more information, see Using LDAP Authentication for Presto on Amazon EMR.

Presto on Amazon EMR uses port 8446 for internal HTTPS by default. The port used for internal communication must be the same port used for client HTTPS access to the Presto coordinator. The http-server.https.port property in the presto-config configuration classification specifies the port.