Configuring TLS Authentication of Agents to Server

This is the highest level of TLS security and requires you to use openssl to create private keys and public certificates for every Agent on your cluster, and import those Agents' certificates into the Server's truststore.

Step 1: Configure TLS encryption.

If you have not already done so, you must configure TLS encryption to use this third level of security. For instructions, see Configuring TLS Encryption for Cloudera Manager.

Step 2: Configure TLS Authentication of Server to Agents.

If you have not already done so, you must configure TLS Authentication of Server to Agents. For instructions, see Configuring TLS Authentication of Server to Agents.

Step 3. Generate the private key for the Agent using openssl.

  1. Run the following openssl command:
    $ openssl genrsa -des3 -out agent.key
  2. Provide a password for the key file. Note it in a safe place.

Step 4: Generate a certificate for the agent.

  1. Run the following openssl command.
    $ openssl req -new -x509 -days 365 -key agent.key -out agent.pem

    The key is output in a .pem file. In the preceding example, the optional days argument results in a certificate that is valid for 365 days.

  2. Fill in the answers to the questions about the certificate. Note that the CN must match the host name or IP address of the Agent machine.

Step 5: Create a file that contains the password for the key.

The Agent reads the password from a text file instead of from a command line. The file allows you to use file permissions to protect the password. For example, name the file

Step 6: Configure the Agent with its private key and certificate.

  1. On the Agent Host machine, open the /etc/cloudera-scm-agent/config.ini configuration file:
  2. Edit the following properties in the /etc/cloudera-scm-agent/config.ini configuration file.




    Name of client key file


    Name of client key pw file


    Name of client certificate file

  3. Repeat these steps on every Agent Machine.

Step 7: Import the Agent's certificate into the Server's truststore.

The Server's truststore contains the certificates that are required to authenticate clients. Use the following command to import a certificate called, for example, agent.pem into a new truststore called, for example, truststore.

$ keytool -keystore <path-to-truststore> -import -alias <agent-name> -file agent.pem

Step 8: Repeat steps 3 through 7 for every agent in your cluster.


Each Agent's private key and certificate that you import into the Server's truststore must be unique.

Step 9: Enable Agent authentication and configure the Server to use the new truststore.

  1. Log into the Cloudera Manager Admin Console.
  2. Click the gear icon images/image1.jpeg to display the Administration page and then configure the following TLS settings:



    Use TLS Authentication of Agents to Server

    Select this option to enable TLS Authentication of Agents to the Server.

    Path to Truststore

    Specify the full filesystem path to the truststore located on the Cloudera Manager Server host.

    Truststore Password

    Specify the password for the truststore.

  3. Click Save Changes to save the settings.

Step 10: Restart the Server.

$ sudo service cloudera-scm-server restart

Step 11: Restart the Cloudera Manager Agents.

On every Agent Host machine, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 12: Verify that the Server and Agents are communicating.

In Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If they are not, you may get an error in the Server, such as a null CA chain error. This implies either the truststore doesn't contain the Agent certificate or the Agent isn't presenting the certificate. Double check all of your settings. Check the Server's log to verify whether TLS and Agent validation have been enabled correctly.