Note: If you have already completed this step when configuring TLS encryption for Cloudera Manager, you do not need to repeat it.

  Warning: You must use an Oracle JDK keytool.

1. Use keytool to generate a certificate for the Cloudera Manager Server. For example:

   $ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA

   • The -validity option specifies the certificate lifetime in number of days. If no validity value is specified, the default value is used. The default varies, but is often 90 days.
   • The <path-to-keystore> must be a path to where you want to save the keystore file, and where the Cloudera Manager Server host can access.
2. When prompted by keytool, create a password for the keystore. Save the password in a safe place.
3. When prompted by keytool, fill in the answers accurately to the questions to describe you and your company. The most important answer is the CN value for the question "What is your first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address of the host where the Server is running. For example, cmf.company.com or 192.168.123.101.

  Important: For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, agents do not heartbeat.

1. Log into the Cloudera Manager Admin Console.
2. From the Administration tab select Settings, then go to the Security category.
3. Configure the following three TLS settings:

   Setting	Description
   Use TLS Encryption for Admin Console	Select this option to enable TLS encryption between the Server and user's web browser.
   Path to TLS Keystore File	Specify the full filesystem path to the keystore file.
   Keystore Password	Specify the password for keystore.

4. Click Save Changes to save the settings.

Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.

$ sudo service cloudera-scm-server restart

Log out and then log in into Cloudera Manager to test the certificate. You may see an warning message to accept the certificate if the root certificate is not installed in your browser.

Restart the Cloudera Management Services by clicking the Services link and choosing Restart on the Actions menu for the Cloudera Management Services. Click Restart that appears in the next screen to confirm. When you see a Finished status, the service has restarted.

Open the Cloudera Manager Admin Console page in your browser. Every browser has its own way of indicating a successful TLS connection. Some browsers indicate this by displaying a lock icon in the URL bar while others display an error message if the connection is unencrypted.