Configuring TLS Encryption only for Cloudera Manager
Use the keytool located here to manage the public keys and certificates for the Cloudera Manager Server. Before configuring TLS security for Cloudera Manager, create a keystore, as described in the documentation at the preceding link. For example, you might use a command similar to the following:
keytool -genkey -alias jetty -keystore truststore
Step 1: Create a Cloudera Manager Server certificate.
You must use an Oracle JDK keytool.
- Use keytool to generate a certificate for the Cloudera Manager Server. For example:
$ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA
- The -validity option specifies the certificate lifetime in number of days. If no validity value is specified, the default value is used. The default varies, but is often 90 days.
- The <path-to-keystore> must be a path to where you want to save the keystore file, and where the Cloudera Manager Server host machine can access.
- When prompted by keytool, create a password for the keystore. Save the password in a safe place.
- When prompted by keytool, fill in the answers accurately to the questions to describe you and your company. The most important answer is the CN value for the question "What is your first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address of the host machine where the Server is running. For example, cmf.company.com or 192.168.123.101.
For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, agents do not heartbeat.
Step 2: Enable TLS encryption and specify Server keystore properties.
- Log into the Cloudera Manager Admin Console.
- From the Administration tab select Settings, then go to the Security category.
- Configure the following three TLS settings:
Use TLS Encryption for Agents
Select this option to enable TLS encryption between the Server and Agents.
Path to TLS Keystore File
Specify the full filesystem path to the keystore file.
Specify the password for keystore.
- Click Save Changes to save the settings.
Step 3: Enable and configure TLS on the Agent machines.
To enable and configure TLS, you must specify values for the TLS properties in the /etc/cloudera-scm-agent/config.ini configuration file on all Agent machines.
- On the Agent Host machine, open the /etc/cloudera-scm-agent/config.ini configuration file:
- Edit the following property in the /etc/cloudera-scm-agent/config.ini
Specify 1 to enable TLS on the Agent, or 0 (zero) to disable TLS.
- Repeat these steps on every Agent Machine.
Step 4: Restart the Cloudera Manager Server.
Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.
$ sudo service cloudera-scm-server restart
To enable TLS security, you must restart the Server.
Step 5: Restart the Cloudera Manager Agents.
On every Agent Host machine, restart the Agent:
$ sudo service cloudera-scm-agent restart
Step 6: Verify that the Server and Agents are communicating.
In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, TLS encryption is working properly.