Level 1: Configuring TLS Encryption for Cloudera Manager Agents

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

Prerequisite:

You must have completed the steps described at Configuring TLS Encryption Only for Cloudera Manager.

Step 1: Enable Agent Connections to Cloudera Manager to use TLS

In this step, you enable TLS properties for Cloudera Manager Agents and their connections to the Cloudera Manager Server. To configure agents to connect to Cloudera Manager over TLS, log into the Cloudera Manager Admin Console.

  1. Log into the Cloudera Manager Admin Console.
  2. Select Administration > Settings.
  3. Click the Security category.
  4. Configure the following TLS settings in the Cloudera Manager Server:
    Property Description
    Use TLS Encryption for Agents Enable TLS encryption for Agents connecting to the Server. The Agents will still connect to the defined agent listener port for Cloudera Manager (default: 7182). This property negotiates TLS connections to the service at this point.
  5. Click Save Changes.

Step 2: Enable and Configure TLS on the Agent Hosts

To enable and configure TLS, you must specify values for the TLS properties in the /etc/cloudera-scm-agent/config.ini configuration file on all Agent hosts.
  1. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following property:
    Property Description
    use_tls Specify 1 to enable TLS on the Agent, or 0 (zero) to disable TLS.
  2. Repeat this step on every Agent host. You can copy the Agent’s config.ini file across all hosts since this file by default does not have host specific information within it. If you modify properties such as listening_hostname or listening_ip address in config.ini, you must configure the file individually for each host.

Step 3: Restart the Cloudera Manager Server

Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.

$ sudo service cloudera-scm-server restart 

Step 4: Restart the Cloudera Manager Agents

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 5: Verify that the Server and Agents are Communicating

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, TLS encryption is working properly.