Deploying the Cloudera Manager Keystore for Level 1 TLS with Self-Signed Certificates
This topic describes how to perform Step 1: Create the Cloudera Manager Server Keystore, Generate a Certificate Request, and Install the Certificate, but with self-signed certificates.
- Create a directory to store the self-signed certificate-key pair that you will create.
$ mkdir -p /opt/cloudera/security/x509/ /opt/cloudera/security/jks/ $ cd /opt/cloudera/security/jksUse chmod/chown to change ownership of the /opt/cloudera/security/jks directory to give Cloudera Manager access to the directory.
- Generate a self-signed certificate-key pair and save it to a keystore, such as example.keystore.
$ keytool -genkeypair -keystore example.keystore -keyalg RSA -alias example \ -dname "CN=example.cloudera" -storepass cloudera -keypass cloudera
- Copy the default Java truststore, cacerts, to the alternate truststore at the same location, jssecacerts. You can append
any self-signed certificates to this truststore without modifying the default cacerts file.
$ sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts
- Export the certificate from example.keystore.
$ keytool -export -alias example -keystore example.keystore -rfc -file selfsigned.cer
- Copy the self-signed certificate to the /opt/cloudera/security/x509/ directory (or any location where it can be used by Cloudera Manager).
$ cp selfsigned.cer /opt/cloudera/security/x509/cmhost.pem
- Import the public key into the alternate Java truststore, so that any process that runs with Java on this machine will trust the key. Repeat this on all machines. The default password
for the Java truststore is changeit. Do not use the password created for the keystore in Step 2.
$ keytool -import -alias example -file /opt/cloudera/security/selfsigned.cer \ -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit
- Rename the keystore to cmhost-keystore.jks (this is to keep this example consistent with the documentation for CA-signed certificates). You can delete the certificate since it has already been exported to the
keystore at /opt/cloudera/security/x509/cmhost.pem in a previous step.
$ mv /opt/cloudera/security/jks/example.keystore /opt/cloudera/security/jks/cmhost-keystore.jks $ rm /opt/cloudera/security/selfsigned.cer
To continue setting up Level 1 TLS, go back to Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties.