# Understanding in-transit encryption
You can configure an EMR cluster to run open-source frameworks such as [Apache Spark](https://aws.amazon.com/emr/features/spark/), [Apache Hive](https://aws.amazon.com/emr/features/hive/), and [Presto](https://aws.amazon.com/emr/features/presto/). each of these open-source frameworks has a set of processes running on the EC2 instances of a cluster. Each of these processes can host network endpoints for network communication.
If in-transit encryption is enabled on an EMR cluster, different network endpoints use different encryption mechanisms. See the following sections to learn more about the specific open-source framework network endpoints supported with in-transit encryption, the related encryption mechanisms, and which Amazon EMR release added the support. Each open-source application might also have different best practices and open-source framework configurations that you can change.
For the most in-transit encryption coverage, we recommend that you enable both in-transit encryption and Kerberos. If you only enable in-transit encryption, then in-transit encryption will be available only for the network endpoints that support TLS. Kerberos is necessary because some open-source framework network endpoints use Simple Authentication and Security Layer (SASL) for in-transit encryption.
Note that any open-source frameworks not supported in Amazon EMR 7.x.x releases are not included.
## Spark
When you enable in-transit encryption in security configurations, `spark.authenticate` is automatically set to `true` and uses AES-based encryption for RPC connections.
Starting with Amazon EMR 7.3.0, if you use in-transit encryption and Kerberos authentication, you can't use Spark applications that depend on the Hive metastore. Hive 3 fixes this issue in [HIVE-16340](https://issues.apache.org/jira/browse/HIVE-16340). [HIVE-44114](https://issues.apache.org/jira/browse/SPARK-44114) fully resolves this issue when open-source Spark can upgrade to Hive 3. In the meantime, you can set `hive.metastore.use.SSL` to `false` to work around this issue. For more information, see [Configure applications](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-configure-apps.html).
For more information, see [Spark security](https://spark.apache.org/docs/latest/security) in the Apache Spark documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Spark History Server | spark.ssl.history.port | 18480 | TLS | emr-5.3.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Spark UI | spark.ui.port | 4440 | TLS | emr-5.3.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Spark Driver | spark.driver.port | Dynamic | Spark AES-based encryption | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Spark Executor | Executor Port (no named config) | Dynamic | Spark AES-based encryption | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| YARN NodeManager | spark.shuffle.service.port1 | 7337 | Spark AES-based encryption | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
1`spark.shuffle.service.port` is hosted on YARN NodeManager but is only used by Apache Spark.
**Known issue**
On intransit enabled clusters `spark.yarn.historyServer.address` configuration is currently using port `18080`, which prevents access to spark application UI using YARN tracking URL. **Affects Version:** EMR - 7.3.0 to EMR - 7.9.0.
Use the following workaround:
1. Modify the `spark.yarn.historyServer.address` configuration in `/etc/spark/conf/spark-defaults.conf` to use the `HTTPS` port number `18480` on a running cluster.
1. This can also be provided in configuration overrides while launching the cluster.
Example configuration:
```
[
{
"Classification": "spark-defaults",
"Properties": {
"spark.yarn.historyServer.address": "${hadoopconf-yarn.resourcemanager.hostname}:18480"
}
}
]
```
## Hadoop YARN
[ Secure Hadoop RPC](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#Data_Encryption_on_RPC) is set to `privacy` and uses SASL-based in-transit encryption. This requires that Kerberos authentication is enabled in the security configuration. If you don't want in-transit encryption for Hadoop RPC, configure `hadoop.rpc.protection = authentication`. We recommend that you use the default configuration for maximum security.
If your TLS certificates can't meet TLS hostname verification requirements, you can configure `hadoop.ssl.hostname.verifier = ALLOW_ALL`. We recommend that you use the default configuration of `hadoop.ssl.hostname.verifier = DEFAULT`, which enforces TLS hostname verification.
To disable HTTPS for the YARN web application endpoints, configure `yarn.http.policy = HTTP_ONLY`. This makes it so that traffic to these endpoints stays unencrypted. We recommend that you use the default configuration for maximum security.
For more information, see [Hadoop in secure mode](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html) in the Apache Hadoop documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| ResourceManager | yarn.resourcemanager.webapp.address | 8088 | TLS | emr-7.3.0\$1 |
| ResourceManager | yarn.resourcemanager.resource-tracker.address | 8025 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| ResourceManager | yarn.resourcemanager.scheduler.address | 8030 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| ResourceManager | yarn.resourcemanager.address | 8032 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| ResourceManager | yarn.resourcemanager.admin.address | 8033 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| TimelineServer | yarn.timeline-service.address | 10200 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| TimelineServer | yarn.timeline-service.webapp.address | 8188 | TLS | emr-7.3.0\$1 |
| WebApplicationProxy | yarn.web-proxy.address | 20888 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| NodeManager | yarn.nodemanager.address | 8041 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| NodeManager | yarn.nodemanager.localizer.address | 8040 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| NodeManager | yarn.nodemanager.webapp.address | 8044 | TLS | emr-7.3.0\$1 |
| NodeManager | mapreduce.shuffle.port1 | 13562 | TLS | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| NodeManager | spark.shuffle.service.port2 | 7337 | Spark AES-based encryption | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
1 `mapreduce.shuffle.port` is hosted on YARN NodeManager but is only used by Hadoop MapReduce.
2 `spark.shuffle.service.port` is hosted on YARN NodeManager but is only used by Apache Spark.
**Known issue**
The `yarn.log.server.url` configuration in is currently using HTTP with port 19888, which prevents access to application logs from the Resource Manager UI. **Affects Version:** EMR - 7.3.0 to EMR - 7.8.0.
Use the following workaround:
1. Modify the `yarn.log.server.url` configuration in `yarn-site.xml` to use the `HTTPS` protocol and port number `19890`.
1. Restart YARN Resource Manager: `sudo systemctl restart hadoop-yarn-resourcemanager.service`.
## Hadoop HDFS
The Hadoop name node, data node, and journal node all support TLS by default if in-transit encryption is enabled in EMR clusters.
[ Secure Hadoop RPC](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#Data_Encryption_on_RPC) is set to to `privacy` and uses SASL-based in-transit encryption. This requires that Kerberos authentication is enabled in the security configuration.
We recommend that you don't change the default ports used for HTTPS endpoints.
[ Data encryption on HDFS block transfer uses](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#Data_Encryption_on_Block_data_transfer.) AES 256 and requires that at-rest encryption is enabled in the security configuration.
For more information, see [Hadoop in secure mode](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html) in the Apache Hadoop documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Namenode | dfs.namenode.https-address | 9871 | TLS | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Namenode | dfs.namenode.rpc-address | 8020 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Datanode | dfs.datanode.https.address | 9865 | TLS | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Datanode | dfs.datanode.address | 9866 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Journal Node | dfs.journalnode.https-address | 8481 | TLS | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Journal Node | dfs.journalnode.rpc-address | 8485 | SASL \$1 Kerberos | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| DFSZKFailoverController | dfs.ha.zkfc.port | 8019 | None | TLS for ZKFC is only supported in Hadoop 3.4.0. See [HADOOP-18919](https://issues.apache.org/jira/browse/HADOOP-18919) for more information. Amazon EMR release 7.1.0 is currently on Hadoop 3.3.6. Higher Amazon EMR releases are on Hadoop 3.4.0 in the future |
## Hadoop MapReduce
Hadoop MapReduce, job history server, and MapReduce shuffle all support TLS by default when in-transit encryption is enabled in EMR clusters.
[ Hadoop MapReduce encrypted shuffle](https://hadoop.apache.org/docs/r2.7.1/hadoop-mapreduce-client/hadoop-mapreduce-client-core/EncryptedShuffle.html) uses TLS.
We recommend that you don't change the default ports for HTTPS endpoints.
For more information, see [Hadoop in secure mode](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html) in the Apache Hadoop documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| JobHistoryServer | mapreduce.jobhistory.webapp.https.address | 19890 | TLS | emr-7.3.0\$1 |
| YARN NodeManager | mapreduce.shuffle.port1 | 13562 | TLS | emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
1 `mapreduce.shuffle.port` is hosted on YARN NodeManager but is only used by Hadoop MapReduce.
## Presto
In Amazon EMR releases 5.6.0 and higher, internal communication between the Presto coordinator and workers uses TLS Amazon EMR sets up all the required configurations to enable [secure internal communication](https://prestodb.io/docs/current/security/internal-communication.html) in Presto.
If the connector uses the Hive metastore as the metadata store, communication between the communicator and the Hive metastore is also encrypted with TLS.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Presto Coordinator | http-server.https.port | 8446 | TLS | emr-5.6.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
| Presto Worker | http-server.https.port | 8446 | TLS | emr-5.6.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
## Trino
In Amazon EMR releases 6.1.0 and higher, internal communication between the Presto coordinator and workers uses TLS Amazon EMR sets up all the required configurations to enable [secure internal communication](https://trino.io/docs/current/security/internal-communication.html) in Trino.
If the connector uses the Hive metastore as the metadata store, communication between the communicator and the Hive metastore is also encrypted with TLS.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Trino Coordinator | http-server.https.port | 8446 | TLS | emr-6.1.0\$1, emr-7.0.0\$1 |
| Trino Worker | http-server.https.port | 8446 | TLS | emr-6.1.0\$1, emr-7.0.0\$1 |
## Hive and Tez
By default, Hive server 2, Hive metastore server, Hive LLAP Daemon web UI, and Hive LLAP shuffle all support TLS when in-transit encryption is enabled in the EMR clusters. For more information about the Hive configurations, see [Configuration properties](https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties).
Tez UI that's hosted on the Tomcat server is also HTTPS-enabled when in-transit encryption is enable in the EMR cluster. However, HTTPS is disabled for the Tez AM web UI service so AM users don't have access to the keystore file for the opening SSL listener. You can also enable this behavior with the Boolean configurations `tez.am.tez-ui.webservice.enable.ssl` and `tez.am.tez-ui.webservice.enable.client.auth`.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| HiveServer2 | hive.server2.thrift.port | 10000 | TLS | emr-6.9.0\$1, emr-7.0.0\$1 |
| HiveServer2 | hive.server2.thrift.http.port | 10001 | TLS | emr-6.9.0\$1, emr-7.0.0\$1 |
| HiveServer2 | hive.server2.webui.port | 10002 | TLS | emr-7.3.0\$1 |
| HiveMetastoreServer | hive.metastore.port | 9083 | TLS | emr-7.3.0\$1 |
| LLAP Daemon | hive.llap.daemon.yarn.shuffle.port | 15551 | TLS | emr-7.3.0\$1 |
| LLAP Daemon | hive.llap.daemon.web.port | 15002 | TLS | emr-7.3.0\$1 |
| LLAP Daemon | hive.llap.daemon.output.service.port | 15003 | None | Hive doesn't support in-transit encryption for this endpoint |
| LLAP Daemon | hive.llap.management.rpc.port | 15004 | None | Hive doesn't support in-transit encryption for this endpoint |
| LLAP Daemon | hive.llap.plugin.rpc.port | Dynamic | None | Hive doesn't support in-transit encryption for this endpoint |
| LLAP Daemon | hive.llap.daemon.rpc.port | Dynamic | None | Hive doesn't support in-transit encryption for this endpoint |
| WebHCat | templeton.port | 50111 | TLS | emr-7.3.0\$1 |
| Tez Application Master | tez.am.client.am.port-range tez.am.task.am.port-range | Dynamic | None | Tez doesn't support in-transit encryption for this endpoint |
| Tez Application Master | tez.am.tez-ui.webservice.port-range | Dynamic | None | Disabled by default. Can be enabled using Tez configurations in emr-7.3.0\$1 |
| Tez Task | N/A - not configurable | Dynamic | None | Tez doesn't support in-transit encryption for this endpoint |
| Tez UI | Configurable via Tomcat server on which Tez UI is hosted | 8080 | TLS | emr-7.3.0\$1 |
## Flink
Apache Flink REST endpoints and internal communication between flink processes support TLS by default when you enable in-transit encryption in EMR clusters.
[https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#security-ssl-internal-enabled](https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#security-ssl-internal-enabled) is set to `true` and uses in-transit encryption for internal communication between the Flink processes. If you don't want in-transit encryption for internal communication, disable that configuration. We recommend you use the default configuration for maximum security.
Amazon EMR sets [https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#security-ssl-rest-enabled](https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#security-ssl-rest-enabled) to `true` and uses in-transit encryption for the REST endpoints. Additionally, Amazon EMR also sets [https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#historyserver-web-ssl-enabled](https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#historyserver-web-ssl-enabled) to true to use TLS communication with the Flink history server. If you don't want in-transit encryption for the REST points, disable these configurations. We recommend you use the default configuration for maximum security.
Amazon EMR uses [https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#security-ssl-algorithms](https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/config/#security-ssl-algorithms). to specify the list of ciphers that use AES-based encryption. Override this configuration to use the ciphers you want.
For more information, see [SSL Setup](https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/deployment/security/security-ssl/) in the Flink documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Flink History Server | historyserver.web.port | 8082 | TLS | emr-7.3.0\$1 |
| Job Manager Rest Server | rest.bind-port rest.port | Dynamic | TLS | emr-7.3.0\$1 |
## HBase
Amazon EMR sets [ Secure Hadoop RPC](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#Data_Encryption_on_RPC) to `privacy`. HMaster and RegionServer use SASL-based in-transit encryption. This requires that Kerberos authentication is enabled in the security configuration.
Amazon EMR sets `hbase.ssl.enabled` to true and uses TLS for UI endpoints. If you don't want to use TLS for UI endpoints, disable this configuration. We recommend that you use the default configuration for maximum security.
Amazon EMR sets `hbase.rest.ssl.enabled` and `hbase.thrift.ssl.enabled` and uses TLS for the REST and Thirft server endpoints, respectively. If you don't want to use TLS for these endpoints, disable this configuration. We recommend that you use the default configuration for maximum security.
Starting with EMR 7.6.0, TLS is supported on HMaster and RegionServer endpoints. Amazon EMR also sets `hbase.server.netty.tls.enabled` and `hbase.client.netty.tls.enabled`. If you don’t want to use TLS for these endpoints, disable this configuration. We recommend that you use the default configuration, which provides encryption and thus higher security. To learn more, see [Transport Level Security (TLS) in HBase RPC communication](https://hbase.apache.org/book.html#_transport_level_security_tls_in_hbase_rpc_communication) in the *Apache HBase Reference Guide*.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| HMaster | HMaster | 16000 | SASL \$1 Kerberos TLS | SASL \$1 Kerberos in emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, and emr-7.0.0\$1 TLS in emr-7.6.0\$1 |
| HMaster | HMaster UI | 16010 | TLS | emr-7.3.0\$1 |
| RegionServer | RegionServer | 16020 | SASL \$1 Kerberos TLS | SASL \$1 Kerberos in emr-4.8.0\$1, emr-5.0.0\$1, emr-6.0.0\$1, and emr-7.0.0\$1 TLS in emr-7.6.0\$1 |
| RegionServer | RegionServer Info | 16030 | TLS | emr-7.3.0\$1 |
| HBase Rest Server | Rest Server | 8070 | TLS | emr-7.3.0\$1 |
| HBase Rest Server | Rest UI | 8085 | TLS | emr-7.3.0\$1 |
| Hbase Thrift Server | Thrift Server | 9090 | TLS | emr-7.3.0\$1 |
| Hbase Thrift Server | Thrift Server UI | 9095 | TLS | emr-7.3.0\$1 |
## Phoenix
If you enabled in-transit encryption in your EMR cluster, Phoenix Query Serversupports the TLS property `phoenix.queryserver.tls.enabled`, which is set to `true` by default.
To learn more, see [ Configurations relating to HTTPS](https://phoenix.apache.org/server.html#Configuration) in the Phoenix Query Server documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Query Server | phoenix.queryserver.http.port | 8765 | TLS | emr-7.3.0\$1 |
## Oozie
[OOZIE-3673](https://issues.apache.org/jira/browse/OOZIE-3673) is available on Amazon EMR if you run Oozie on Amazon EMR 7.3.0 and higher. If you need to configure custom SSL or TLS protocols when you run an email action, you can set the property `oozie.email.smtp.ssl.protocols` in the `oozie-site.xml` file. By default, if you enabled in-transit encryption, Amazon EMR uses the TLS v1.3 protocol.
[OOZIE-3677](https://issues.apache.org/jira/browse/OOZIE-3677) and [OOZIE-3674](https://issues.apache.org/jira/browse/OOZIE-3674) are also available on Amazon EMR if you run Oozie on Amazon EMR 7.3.0 and higher. This lets you specify the properties `keyStoreType` and `trustStoreType` in `oozie-site.xml`. OOZIE-3674 adds the parameter `--insecure` to the Oozie client so it can ignore certificate errors.
Oozie enforces TLS hostname verification, which means that any certificate you use for in-transit encryption must meet hostname verification requirements. If the certificate doesn't meet the criteria, the cluster might get stuck at the `oozie share lib update` stage when Amazon EMR provisions the cluster. We recommend that you update your certificates to make sure they're compliant with hostname verification. However, if you can't update the certificates, you can disable SSL for Oozie by setting the `oozie.https.enabled` property to `false` in cluster configuration.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| EmbeddedOozieServer | oozie.https.port | 11443 | TLS | emr-7.3.0\$1 |
| EmbeddedOozieServer | oozie.email.smtp.port | 25 | TLS | emr-7.3.0\$1 |
## Hue
By default, Hue supports TLS when in-transit encryption is enabled in Amazon EMR clusters. For more information about Hue configurations, see [Configure Hue with HTTPS / SSL](https://gethue.com/configure-hue-with-https-ssl/).
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Hue | http\$1port | 8888 | TLS | emr-7.4.0\$1 |
## Livy
By default, Livy supports TLS when in-transit encryption is enabled in Amazon EMR clusters. For more information about Livy configurations, see [Enabling HTTPS with Apache Livy](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/enabling-https.html).
Starting with Amazon EMR 7.3.0, if you use in-transit encryption and Kerberos authentication, you can't use the Livy server for Spark applications that depend on the Hive metastore. This issue is fixed in [HIVE-16340](https://issues.apache.org/jira/browse/HIVE-16340) and is fully resolved in [SPARK-44114](https://issues.apache.org/jira/browse/SPARK-44114) when the open-source Spark application can upgrade to Hive 3. In the meantime, you can work around this issue if you set `hive.metastore.use.SSL` to `false`. For more information, see [Configure applications](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-configure-apps.html).
For more information, see [enabling HTTPS with Apache Livy](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/enabling-https.html).
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| livy-server | livy.server.port | 8998 | TLS | emr-7.4.0\$1 |
## JupyterEnterpriseGateway
By default, Jupyter Enterprise Gateway supports TLS when in-transit encryption is enabled in Amazon EMR clusters. For more information about the Jupyter Enterprise Gateway configurations, see [Securing Enterprise Gateway Server](https://jupyter-enterprise-gateway.readthedocs.io/en/v1.2.0/getting-started-security.html#securing-enterprise-gateway-server).
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| jupyter\$1enterprise\$1gateway | c.EnterpriseGatewayApp.port | 9547 | TLS | emr-7.4.0\$1 |
## JupyterHub
By default, JupyterHub supports TLS when in-transit encryption is enabled in Amazon EMR clusters. For more information, see [Enabling SSL encryption](https://jupyterhub.readthedocs.io/en/latest/tutorial/getting-started/security-basics.html#enabling-ssl-encryption) in the JupyterHub documentation. It isn't recommended to disable encryption.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| jupyter\$1hub | c.JupyterHub.port | 9443 | TLS | emr-5.14.0\$1, emr-6.0.0\$1, emr-7.0.0\$1 |
## Zeppelin
By default, Zeppelin supports TLS when you enable in-transit encryption in your EMR cluster. For more information about the Zeppelin configurations, see [ SSL Configuration](https://zeppelin.apache.org/docs/0.11.1/setup/operation/configuration.html#ssl-configuration) in the Zeppelin documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| zeppelin | zeppelin.server.ssl.port | 8890 | TLS | 7.3.0\$1 |
## Zookeeper
Amazon EMR sets `serverCnxnFactory` to `org.apache.zookeeper.server.NettyServerCnxnFactory` to enable TLS for the Zookeeper quorum and client communication.
`secureClientPort` specifies the port that listens to TLS connections. If the client doesn't support TLS connections to Zookeeper, clients can connect to the insecure port of 2181 specified in `clientPort`. You can override or disable these two ports.
Amazon EMR sets both `sslQuorum` and `admin.forceHttps` to `true` to enable TLS communication for the quorum and admin server. If you don't want in-transit encryption for the quorum and the admin server, you can disable those configurations. We recommend that you use the default configurations for maximum security.
For more information, see [Encryption, Authentication, Authorization Options](https://zookeeper.apache.org/doc/r3.9.2/zookeeperAdmin.html#sc_authOptions) in the Zookeeper documentation.
| Component | Endpoint | Port | In-Transit Encryption Mechanism | Supported from Release |
| --- | --- | --- | --- | --- |
| Zookeeper Server | secureClientPort | 2281 | TLS | emr-7.4.0\$1 |
| Zookeeper Server | Quorum Ports | There are 2: Followers use 2888 to connect to the leader. Leader election uses 3888 | TLS | emr-7.4.0\$1 |
| Zookeeper Server | admin.serverPort | 8341 | TLS | emr-7.4.0\$1 |