This is the documentation for Cloudera Manager 4.8.6. Documentation for other versions is available at Cloudera Documentation.

Cloudera Manager 4 and CDH 4 have reached End of Maintenance (EOM) on August 9, 2015. Cloudera will not support or provide patches for any of the Cloudera Manager 4 or CDH 4 releases after that date.

Configuring TLS Encryption only for Cloudera Manager

Use the keytool located here to manage the public keys and certificates for the Cloudera Manager Server. Before configuring TLS security for Cloudera Manager, create a keystore, as described in the documentation at the preceding link. For example, you might use a command similar to the following:

keytool -genkey -alias jetty -keystore truststore

Step 1: Create a Cloudera Manager Server certificate.


You must use an Oracle JDK keytool.

  1. Use keytool to generate a certificate for the Cloudera Manager Server. For example:
    $ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA
    • The -validity option specifies the certificate lifetime in number of days. If no validity value is specified, the default value is used. The default varies, but is often 90 days.
    • The <path-to-keystore> must be a path to where you want to save the keystore file, and where the Cloudera Manager Server host machine can access.
  2. When prompted by keytool, create a password for the keystore. Save the password in a safe place.
  3. When prompted by keytool, fill in the answers accurately to the questions to describe you and your company. The most important answer is the CN value for the question "What is your first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address of the host machine where the Server is running. For example, or

For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, agents do not heartbeat.

Step 2: Enable TLS encryption and specify Server keystore properties.

  1. Log into the Cloudera Manager Admin Console.
  2. From the Administration tab select Settings, then go to the Security category.
  3. Configure the following three TLS settings:



    Use TLS Encryption for Agents

    Select this option to enable TLS encryption between the Server and Agents.

    Path to TLS Keystore File

    Specify the full filesystem path to the keystore file.

    Keystore Password

    Specify the password for keystore.

  4. Click Save Changes to save the settings.

Step 3: Enable and configure TLS on the Agent machines.

To enable and configure TLS, you must specify values for the TLS properties in the /etc/cloudera-scm-agent/config.ini configuration file on all Agent machines.

  1. On the Agent Host machine, open the /etc/cloudera-scm-agent/config.ini configuration file:
  2. Edit the following property in the /etc/cloudera-scm-agent/config.ini configuration file.




    Specify 1 to enable TLS on the Agent, or 0 (zero) to disable TLS.

  3. Repeat these steps on every Agent Machine.

Step 4: Restart the Cloudera Manager Server.

Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.

$ sudo service cloudera-scm-server restart

To enable TLS security, you must restart the Server.

Step 5: Restart the Cloudera Manager Agents.

On every Agent Host machine, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 6: Verify that the Server and Agents are communicating.

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, TLS encryption is working properly.

This page last updated September 8, 2015