Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

Level 2 of TLS security requires that you provide a server certificate that is signed, either directly or through a chain, by a trusted root certificate authority (CA), to the Cloudera Manager Server. You must also provide the certificate of the CA that signed the Server certificate. For test environments, you can use a self-signed server certificate.

If the Cloudera Manager Server certificate or the associated CA certificate is missing or expired, Agents will not communicate with the Cloudera Manager Server.

Step 1: Configure TLS encryption

If you have not done so, configure TLS encryption to use Level 2 security. For instructions, see Configuring TLS Encryption Only for Cloudera Manager and Level 1: Configuring TLS Encryption for Cloudera Manager Agents.

Step 2: Copy the CA certificate or Cloudera Manager Server .pem file to the Agents

  1. Agents can verify the Cloudera Manager Server using either the Server certificate or the associated root CA certificate. Do one of the following to proceed:
    • Copy the Cloudera Manager Server .pem file to the Agent host
      1. For verification by the Agent, copy the Server .pem file (for example, cmhost.pem ) to any directory on the Agent host. In the examples, this path is /opt/cloudera/security/x509/cmhost.pem.
      2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
        Property Description
        verify_cert_file

        Point this property to the copied .pem file on the Agent host; in this example, /opt/cloudera/security/x509/cmhost-cert.pem.

        use_tls Set this property to 1.

      OR

    • Copy the CA certificates to the Agent host
      1. If you have a CA-signed certificate, copy the root CA or intermediate CA certificates in PEM format to the Agent host. In the example, the CA certificates are copied to /opt/cloudera/security/CAcerts/*.
      2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
        Property Description
        verify_cert_dir Point this property to the directory on the Agent host with the copied CA certificates; in the example, /opt/cloudera/security/CAcerts/.
        use_tls Set this property to 1.
  2. Repeat the approach you used in step 1 on every Agent host. You can copy the Agent’s config.ini file across all hosts. However, if you modify properties such as listening_hostname or listening_ip address in config.ini, you must configure config.ini for each host individually.

Step 3: Restart the Cloudera Manager Agents

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 4: Restart the Cloudera Management Services

To restart the Cloudera Management Service from the Cloudera Manager Admin Console:

  1. On the Home > Status tab, click to the right of the service name and select Restart.
  2. Click Start on the next screen to confirm. When you see a Finished status, the service has restarted.

Step 5: Verify that the Server and Agents are communicating

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log, which shows errors if the connection fails.