Set up Trino SSL

SSL Requirement

  • If any authentication (Kerberos, LDAP) is enabled for Trino, SSL must also be enabled.
  • In Ambari, when Kerberos is enabled, the 'Enable SSL' option is automatically selected. Disabling SSL while using authentication will cause Trino services to fail at startup.
  • The SSL certificate must have a valid SubjectAlternativeName (SAN). The SSL certificates without a SAN are not supported.

SSL Setup

  • Must use either a passwordless .pem file or a .jks keystore with a password on all the trino nodes, readable by trino user.
  • Configure SSL Keystore Path=<path to pem/keystore location>, this path must be the same for each Trino server as shown below.
  • A Shared Key must be configured when SSL is enabled. You can generate it using below command.
Bash
Copy

Enter the generated key in the 'Shared Key' configuration field during Trino setup under Advanced trino-env.

Internal Node-to-Node SSL (Optional)

The internode SSL communication between the Coordinator and Worker nodes, can be enabled as per below steps, however there is a performance degradation and it is not recommended.

Requirement: All certificates must be imported into the JDK 23 cacerts truststore on each node.

The example command is as follows.

Bash
Copy

Kerberos Configuration

The kerberos properties are all auto configured in the Coordinator node’s config.properties.

The following properties are added in config.properties once security is identified as Kerberos.

Bash
Copy

LDAP Configuration

To configure or enable LDAP, the following two properties need to be configured under Advanced trino-ldap:

  • LDAP URL
  • LDAP User Bind Pattern String
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
  Last updated on May 7, 2025
Next to read:
Set up Trino Knox
On This Page
Set up Trino SSLSSL RequirementSSL SetupInternal Node-to-Node SSL (Optional)Kerberos ConfigurationLDAP Configuration