Configuring TLS Security for Cloudera Manager
- Cloudera strongly recommends that you set up a fully-functional CDH cluster and Cloudera Manager before you begin configuring the Cloudera Manager Server and Agents to use TLS.
- Cloudera Manager will continue to accept HTTP requests on port 7180 (default) but will immediately redirect clients to port 7183 for HTTPS connectivity once TLS is enabled.
- Once Level 3 TLS is configured, if you want to add new hosts running
Agents, you must manually deploy the Cloudera Manager agent and daemon's
packages for your platform, issue a new certificate for the host, configure
/etc/cloudera-scm-agent/config.ini to use SSL/TLS and then bring
the host online.
Conversely, you can disable TLS to add the host, configure the new host for TLS, then re-enable with the proper configuration in place. Either approach is valid, based on your needs.
- For all hosts running Agents, Cloudera recommends you start with creating the keystore in Java first, and then exporting the key and certificate using openSSL for use by the Agent or Hue.
Cloudera Manager supports three levels of TLS security. It is necessary to work through the configuration of Level 1, and then Level 2 TLS to be able to configure Level 3 encryption. The configurations build on each other to reach Level 3 which is the strongest level of TLS security.
- Level 1 (Good) - This level only configures encrypted communication between the browser and Cloudera Manager, and between Agents and the Cloudera Manager Server. See Configuring TLS Encryption Only for Cloudera Manager followed by Level 1: Configuring TLS Encryption for Cloudera Manager Agents for instructions. Level 1 encryption prevents snooping of commands and controls ongoing communication between the Agents and Cloudera Manager.
- Level 2 (Better) - This level includes encrypted communication between the Agents and the Server, as well as strong verification of the Cloudera Manager Server certificate by the Agents. See Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents. Level 2 provides Agents with an additional level of security by verifying trust for the certificate presented by the Cloudera Manager Server.
- Level 3 (Best) - Encrypted communication between the Agents and the Server. Level 3 TLS includes encrypted communication between the Agents and the Server, strong verification of the Cloudera Manager Server certificate by the Agents and authentication of Agents to the Cloudera Manager Server using self-signed or CA-signed certs. See Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server. Level 3 addresses the untrusted network scenario where you need to prevent cluster Servers being spoofed by untrusted Agents running on a host. Cloudera recommends you configure Level 3 TLS encryption for untrusted network environments before enabling Kerberos authentication. This provides secure communication of keytabs between the Cloudera Manager Server and verified Agents across the cluster.
To enable TLS encryption for all connections between your Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server, see the first 2 steps of Level 1: Configuring TLS Encryption for Cloudera Manager Agents.
For more details on how various aspects of HTTPS communication are handled by the Cloudera Manager Agents and the Cloudera Management Services daemons, see HTTPS Communication in Cloudera Manager.