Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

This is the second highest level of TLS security and requires that you provide a server certificate for the Cloudera Manager Server that is signed, either directly or through a chain, by a trusted root Certificate Authority (CA). You must also provide the certificate of the CA that signed the Server's server certificate. For test environments, you can use a self-signed server certificate.

Step 1: Configure TLS encryption

If you have not already done so, you must configure TLS encryption to use this second level of security. For instructions, see Configuring TLS Encryption Only for Cloudera Manager and Level 1: Configuring TLS Encryption for Cloudera Manager Agents.

Step 2: Copy the CA Certificate or Cloudera Manager Server's .pem file to the Agents

  1. Agents can verify the Cloudera Manager Server using either the Server's server certificate or the associated root CA's certificate. Pick any one of these approaches to proceed.
    • Copying the Cloudera Manager Server's .pem file to the Agent host
      1. For verification by the Agent, copy the Server's .pem file (for example, cmhost.pem ) to any directory on the Agent host. For our examples, this path will be /opt/cloudera/security/x509/cmhost.pem.
      2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
        Property Description
        verify_cert_file

        Point this property to the copied .pem file on the Agent host. For our example, /opt/cloudera/security/x509/cmhost-cert.pem.

        use_tls Set this property to 1.

      OR

    • Copy the CA certificates to the Agent host
      1. If you have a CA-signed certificate, copy the root CA or intermediate CA certificates in PEM format to the Agent host. For our example, the CA certificates will be copied to /opt/cloudera/security/CAcerts/*.
      2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
        Property Description
        verify_cert_dir Point this property to the directory on the Agent host with the copied CA certificates. For our example, /opt/cloudera/security/CAcerts/
        use_tls Set this property to 1.
  2. Based on the approach you select in step 1, repeat those steps on every Agent host. You may copy the Agent’s config.ini file across all hosts as the file by default does not have host specific information within it. If you modify properties such as listening_hostname or listening_ip address in config.ini, then per-host configuration of the file will be necessary.

Step 3: Restart the Cloudera Manager Agents

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 4: Restart the Cloudera Management Services

Use the following steps to restart the Cloudera Management Service from the Cloudera Manager Admin Console.

  1. On the Home page, click to the right of the service name and select Restart.
  2. Click Start that appears in the next screen to confirm. When you see a Finished status, the service has restarted.

Step 5: Verify that the Server and Agents are communicating

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log which shows errors if the connection fails.