This is the documentation for Cloudera 5.3.x.
Documentation for other versions is available at Cloudera Documentation.

Configuring TLS Security for Cloudera Manager

  Important:
  • Cloudera strongly recommends that you set up a fully functional CDH cluster and Cloudera Manager before you configure the Cloudera Manager Server and Agents to use TLS.
  • When TLS is enabled, Cloudera Manager continues to accept HTTP requests on port 7180 (default) but immediately redirects clients to port 7183 for HTTPS connectivity.
  • When Level 3 TLS is configured, to add new hosts running Agents, you must manually deploy the Cloudera Manager agent and daemon packages for your platform, issue a new certificate for the host, configure /etc/cloudera-scm-agent/config.ini to use SSL/TLS, and then bring the host online.

    Or, you can disable TLS to add the host, configure the new host for TLS, and then re-enable with the proper configuration in place. Either approach is valid, based on your needs.

  • For all hosts running Agents, Cloudera recommends that you first create the keystore in Java, and then export the key and certificate using openSSL for use by the Agent or Hue.
Transport Layer Security (TLS) provides encryption and authentication in communication between the Cloudera Manager Server and Agents. Encryption prevents snooping, and authentication helps prevent problems caused by malicious servers or agents.

Cloudera Manager supports three levels of TLS security.

  • Level 1 (Good) - This level encrypts communication between the browser and Cloudera Manager, and between Agents and the Cloudera Manager Server. See Configuring TLS Encryption Only for Cloudera Manager followed by Level 1: Configuring TLS Encryption for Cloudera Manager Agents for instructions. Level 1 encryption prevents snooping of commands and controls ongoing communication between Agents and Cloudera Manager.
  • Level 2 (Better) - This level encrypts communication between the Agents and the Server, and provides strong verification of the Cloudera Manager Server certificate by Agents. See Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents. Level 2 provides Agents with additional security by verifying trust for the certificate presented by the Cloudera Manager Server.
  • Level 3 (Best) - This includes encrypted communication between the Agents and the Server, strong verification of the Cloudera Manager Server certificate by the Agents, and authentication of Agents to the Cloudera Manager Server using self-signed or CA-signed certs. See Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server. Level 3 TLS prevents cluster Servers from being spoofed by untrusted Agents running on a host. Cloudera recommends that you configure Level 3 TLS encryption for untrusted network environments before enabling Kerberos authentication. This provides secure communication of keytabs between the Cloudera Manager Server and verified Agents across the cluster.
  Important: You must finish configuring Level 1 and Level 2 TLS to configure Level 3 encryption. To enable TLS encryption for all connections between your Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server, see the first 2 steps of Level 1: Configuring TLS Encryption for Cloudera Manager Agents.

For details on how HTTPS communication is handled Cloudera Manager Agents and Cloudera Management Services daemons, see HTTPS Communication in Cloudera Manager.