Configuring TLS Encryption only for Cloudera Manager
Use the keytool located here to manage the public keys and certificates for the Cloudera Manager Server. Before configuring TLS security for Cloudera Manager, create a keystore, as described in the documentation at the preceding link. For example, you might use a command similar to the following:
keytool -genkey -alias jetty -keystore truststore
Step 1: Create a Cloudera Manager Server certificate.
You must use an Oracle JDK keytool.
- Use keytool to generate a certificate for the Cloudera Manager
Server. For example:
$ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA
- The -validity option specifies the certificate lifetime in number of days. If no validity value is specified, the default value is used. The default varies, but is often 90 days.
- The <path-to-keystore> must be a path to where you want to save the keystore file, and where the Cloudera Manager Server host machine can access.
- When prompted by keytool, create a password for the keystore. Save the password in a safe place.
- When prompted by keytool, fill in the answers accurately to the questions to describe you and your company. The most important answer is the CN value for the question "What is your first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address of the host machine where the Server is running. For example, cmf.company.com or 192.168.123.101.
For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, agents do not heartbeat.
Step 2: Enable TLS encryption and specify Server keystore properties.
Step 3: Enable and configure TLS on the Agent machines.
To enable and configure TLS, you must specify values for the TLS properties in the /etc/cloudera-scm-agent/config.ini configuration file on all Agent machines.
- On the Agent Host machine, open the /etc/cloudera-scm-agent/config.ini configuration file:
- Edit the following property in the /etc/cloudera-scm-agent/config.ini configuration file.
- Repeat these steps on every Agent Machine.
Step 4: Restart the Cloudera Manager Server.
Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.
$ sudo service cloudera-scm-server restart
To enable TLS security, you must restart the Server.
Step 5: Restart the Cloudera Manager Agents.
On every Agent Host machine, restart the Agent:
$ sudo service cloudera-scm-agent restart