3.6. Secure Internal Communication

SSL/TLS is configured in the file. The SSL/TLS on the worker and coordinator nodes are configured using the same set of properties. Every node in the cluster must be configured. Nodes that have not been configured, or are configured incorrectly, will not be able to communicate with other nodes in the cluster.

To enable SSL/TLS for Presto internal communication, do the following:

Disable HTTP endpoint.
Configure the cluster to communicate using the fully qualified domain name (fqdn) of the cluster nodes. This can be done in either of the following ways:
- If the DNS service is configured properly, we can just let the nodes to introduce themselves to the coordinator using the hostname taken from the system configuration (hostname --fqdn)
- ```
node.internal-address=<node fqdn>
```
Generate a Java Keystore File. Every Presto node must be able to connect to any other node within the same cluster. It is possible to create unique certificates for every node using the fully-qualified hostname of each host, create a keystore that contains all the public keys for all of the hosts, and specify it for the client (see step #8 below). In most cases it will be simpler to use a wildcard in the certificate as shown below.
Distribute the Java Keystore File across the Presto cluster.

Enable the HTTPS endpoint.

http-server.https.enabled=true
http-server.https.port=<https port>
http-server.https.keystore.key=<keystore password>

Change the discovery uri to HTTPS.
Configure the internal communication to require HTTPS.

Configure the internal communication to use the Java keystore file.

internal-communication.https.keystore.path=<keystore path>
internal-communication.https.keystore.key=<keystore password>

If Kerberos authentication is enabled, specify valid Kerberos credentials for the internal communication, in addition to the SSL/TLS properties.

The service name and keytab file used for internal Kerberos authentication is taken from server Kerberos authentication properties, documented in , http.server.authentication.krb5.service-name and http.server.authentication.krb5.keytab respectively. Make sure you have the Kerberos setup done on the worker nodes as well. The Kerberos principal for internal communication is built from http.server.authentication.krb5.service-name after appending it with the hostname of the node where Presto is running on and default realm from Kerberos configuration.

Enabling encryption impacts performance. The performance degradation can vary based on the environment, queries, and concurrency.

For queries that do not require transferring too much data between the Presto nodes (e.g. ), the performance impact is negligible.

However, for CPU intensive queries which require a considerable amount of data to be transferred between the nodes (for example, distributed joins, aggregations and window functions, which require repartitioning), the performance impact might be considerable. The slowdown may vary from 10% to even 100%+, depending on the network traffic and the CPU utilization.

In some cases, changing the source of random numbers will improve performance significantly.

By default, TLS encryption uses the /dev/urandom system device as a source of entropy. This device has limited throughput, so on environments with high network bandwidth (e.g. InfiniBand), it may become a bottleneck. In such situations, it is recommended to try to switch the random number generator algorithm to SHA1PRNG, by setting it via http-server.https.secure-random-algorithm property in config.properties on the coordinator and all of the workers:

Be aware that this algorithm takes the initial seed from the blocking /dev/random device. For environments that do not have enough entropy to seed the SHAPRNG algorithm, the source can be changed to /dev/urandom by adding the java.security.egd property to :

-Djava.security.egd=file:/dev/urandom