Configuring TLS Security for Cloudera Manager

Transport Layer Security (TLS) is a security protocol designed to prevent eavesdropping, tampering, and message forgery for network communications. It uses encryption to mitigate impact of any interception of network communications by malicious users or processes. TLS also supports authentication of host identity prior to encryption, to prevent spoofing.

Cloudera Manager cluster hosts can be configured for one of the three increasingly secure TLS levels shown in the table below.

Level Description and configuration process
Level 1 (Good) Encrypted communications between a Web browser and Cloudera Manager, and between Agents and Cloudera Manager. Use this level to encrypt all connections between a Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server.
Level 2 (Better) Encrypted communications (as with Level 1), plus Agents verify authenticity of Cloudera Manager Server's TLS certificate.
Level 3 (Best) Encrypted communications (as with Level 1) and Cloudera Manager Server certificate presentation (as with Level 2), plus each Agent presents a certificate to Cloudera Manager Server to verify identity and prevent spoofing by untrusted Agents running on hosts.

As you can see, these TLS levels are cumulative: you must finish configuring and enabling Level 1 and Level 2 before configuring Level 3.

With TLS configured and enabled, Cloudera Manager continues to listen for HTTP requests on port 7180 (default) but immediately redirects clients to port 7183 for HTTPS connectivity. For more information about how Cloudera Manager, Cloudera Management Service roles, and Cloudera Manager Agent nodes communicate using TLS/SSL for encrypted communications over HTTPS, see TLS/SSL Communication Between Cloudera Manager and Cloudera Management Services.

To configure your cluster for Level 3, follow the step-by-step instructions in How to Configure TLS Encryption for Cloudera Manager.

To configure any specific individual level, following the series of steps below:

See also: