Configuring TLS Security for Cloudera Manager
- Cloudera strongly recommends that you set up a fully functional CDH cluster and Cloudera Manager before you configure the Cloudera Manager Server and Agents to use TLS.
- When TLS is enabled, Cloudera Manager continues to accept HTTP requests on port 7180 (default) but immediately redirects clients to port 7183 for HTTPS connectivity.
- When Level 3 TLS is configured, to add new hosts running Agents, you
must manually deploy the Cloudera Manager agent and daemon packages for your
platform, issue a new certificate for the host, configure /etc/cloudera-scm-agent/config.ini
and then bring the host online.
Or, you can disable TLS to add the host, configure the new host for TLS, and then re-enable with the proper configuration in place. Either approach is valid, based on your needs.
- For all hosts running Agents, Cloudera recommends that you first create the keystore in Java, and then export the key and certificate using openSSL for use by the Agent or Hue.
Cloudera Manager supports three levels of TLS security.
- Level 1 (Good) - This level encrypts communication between the browser and Cloudera Manager, and between Agents and the Cloudera Manager Server. See Configuring TLS Encryption Only for Cloudera Manager followed by Level 1: Configuring TLS Encryption for Cloudera Manager Agents for instructions. Level 1 encryption prevents snooping of commands and controls ongoing communication between Agents and Cloudera Manager.
- Level 2 (Better) - This level encrypts communication between the Agents and the Server, and provides strong verification of the Cloudera Manager Server certificate by Agents. See Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents. Level 2 provides Agents with additional security by verifying trust for the certificate presented by the Cloudera Manager Server.
- Level 3 (Best) - This includes encrypted communication between the Agents and the Server, strong verification of the Cloudera Manager Server certificate by the Agents, and authentication of Agents to the Cloudera Manager Server using self-signed or CA-signed certs. See Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server. Level 3 TLS prevents cluster Servers from being spoofed by untrusted Agents running on a host. Cloudera recommends that you configure Level 3 TLS encryption for untrusted network environments before enabling Kerberos authentication. This provides secure communication of keytabs between the Cloudera Manager Server and verified Agents across the cluster.
For details on how HTTPS communication is handled Cloudera Manager Agents and Cloudera Management Services daemons, see HTTPS Communication in Cloudera Manager.
|<< Private Key and Certificate Reuse Across Java Keystores and OpenSSL||Configuring TLS Encryption Only for Cloudera Manager >>|