This is the documentation for Cloudera Manager 5.0.x. Documentation for other versions is available at Cloudera Documentation.

Configuring TLS Authentication of Agents to Server

This is the highest level of TLS security and requires you to use openssl to create private keys and public certificates for every Agent on your cluster, and import those Agents' certificates into the Server's truststore.

Step 1: Configure TLS encryption.

If you have not already done so, you must configure TLS encryption to use this third level of security. For instructions, see Configuring TLS Encryption for Cloudera Manager.

Step 2: Configure TLS Authentication of Server to Agents.

If you have not already done so, you must configure TLS Authentication of Server to Agents. For instructions, see Configuring TLS Authentication of Server to Agents.

Step 3. Generate the private key for the Agent using openssl.

  1. Run the following openssl command on the agent:
    $ openssl genrsa -des3 -out agent.key
  2. Provide a password for the key file. Note it in a safe place.

Step 4: Generate a certificate for the agent.

  1. Run the following openssl command.
    $ openssl req -new -x509 -days 365 -key agent.key -out agent.pem
    The key is output in a .pem file. In the preceding example, the optional days argument results in a certificate that is valid for 365 days.
  2. Fill in the answers to the questions about the certificate. Note that the CN must match the hostname or IP address of the Agent host.

Step 5: Create a file that contains the password for the key.

The Agent reads the password from a text file instead of from a command line. The file allows you to use file permissions to protect the password. For example, name the file agent.pw.

Step 6: Configure the Agent with its private key and certificate.

  1. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file:
  2. Edit the following properties in the /etc/cloudera-scm-agent/config.ini configuration file.
    Property Description
    client_key_file Name of client key file
    client_keypw_file Name of client key pw file
    client_cert_file Name of client certificate file
  3. Repeat these steps on every Agent host.

Step 7: Import the Agent's certificate into the Server's truststore.

The Server's truststore contains the certificates that are required to authenticate clients. Use the following command to import a certificate called, for example, agent.pem into a new truststore called, for example, truststore.

$ keytool -keystore <path-to-truststore> -import -alias <agent-name> -file agent.pem

Step 8: Repeat steps 3 through 7 for every agent in your cluster.

  Important: Each Agent's private key and certificate that you import into the Server's truststore must be unique.

Step 9: Enable Agent authentication and configure the Server to use the new truststore.

  1. Log into the Cloudera Manager Admin Console.
  2. Select Administration > Settings.
  3. Click the Security category.
  4. Configure the following TLS settings:
    Setting Description
    Use TLS Authentication of Agents to Server Select this option to enable TLS Authentication of Agents to the Server.
    Path to Truststore Specify the full filesystem path to the truststore located on the Cloudera Manager Server host.
    Truststore Password Specify the password for the truststore.
  5. Click Save Changes to save the settings.

Step 10: Restart the Server.

$ sudo service cloudera-scm-server restart

Step 11: Restart the Cloudera Manager Agents.

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 12: Verify that the Server and Agents are communicating.

In Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If they are not, you may get an error in the Server, such as a null CA chain error. This implies either the truststore doesn't contain the Agent certificate or the Agent isn't presenting the certificate. Double check all of your settings. Check the Server's log to verify whether TLS and Agent validation have been enabled correctly.

Page generated September 3, 2015.