Deploying the Cloudera Manager Keystore for Level 1 TLS with Self-Signed Certificates

This topic describes how to perform Step 1: Create the Cloudera Manager Server Keystore, Generate a Certificate Request, and Install the Certificate, but with self-signed certificates.

  1. Create a directory to store the self-signed certificate-key pair that you will create.
    $ mkdir -p /opt/cloudera/security/x509/ /opt/cloudera/security/jks/
    $ cd /opt/cloudera/security/jks
    Use chmod/chown to change ownership of the /opt/cloudera/security/jks directory to give Cloudera Manager access to the directory.
  2. Generate a self-signed certificate-key pair and save it to a keystore, such as example.keystore.
    $ keytool -genkeypair -keystore example.keystore -keyalg RSA -alias example \
    -dname "CN=example.cloudera" -storepass cloudera -keypass cloudera
  3. Copy the default Java truststore, cacerts, to the alternate truststore at the same location, jssecacerts. You can append any self-signed certificates to this truststore without modifying the default cacerts file.
    $ sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts
  4. Export the certificate from example.keystore.
    $ keytool -export -alias example -keystore example.keystore -rfc -file selfsigned.cer
  5. Copy the self-signed certificate to the /opt/cloudera/security/x509/ directory (or any location where it can be used by Cloudera Manager).
    $ cp selfsigned.cer /opt/cloudera/security/x509/cmhost.pem
  6. Import the public key into the alternate Java truststore, so that any process that runs with Java on this machine will trust the key. Repeat this on all machines. The default password for the Java truststore is changeit. Do not use the password created for the keystore in Step 2.
    $ keytool -import -alias example -file /opt/cloudera/security/selfsigned.cer \
    -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit
  7. Rename the keystore to cmhost-keystore.jks (this is to keep this example consistent with the documentation for CA-signed certificates). You can delete the certificate since it has already been exported to the keystore at /opt/cloudera/security/x509/cmhost.pem in a previous step.
    $ mv /opt/cloudera/security/jks/example.keystore /opt/cloudera/security/jks/cmhost-keystore.jks
    $ rm /opt/cloudera/security/selfsigned.cer

To continue setting up Level 1 TLS, go back to Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties.