Using Self-Signed Certificates (Level 1 TLS)

Self-signed certificates should not be used for production deployments. However, for testing and other non-production purposes, self-signed certificates let you quickly obtain the certificates needed for Step 1: Obtain Encryption Keys and Certificates for Cloudera Manager Server.

Replace paths, file names, aliases, and other examples in the commands below for your system.

  1. Create the directory for the certificates:
    $ mkdir -p /opt/cloudera/security/x509/ /opt/cloudera/security/jks/
    $ cd /opt/cloudera/security/jks
    Give Cloudera Manager access to the directory: chown -R cloudera-scm:cloudera-scm /opt/cloudera/security/jks
  2. Generate the key pair and self-signed certificate, and store these in the keystore (example.keystore). Set -keypass to the same value as -storepass (Cloudera Manager does not support separate values for -keypass and -storepass.)
    $ keytool -genkeypair -keystore example.keystore -keyalg RSA -alias cmhost \
    -dname "CN=cmhost.sec.example.com,OU=Security,O=Example,L=Denver,ST=Colorado,C=US" -storepass password -keypass password
  3. Copy the default Java truststore (cacerts) to the alternate system truststore (jssecacerts). (You can append any self-signed certificates to jssecacerts without modifying the default cacerts file.)
    $ sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts
  4. Export the certificate from the keystore (example.keystore).
    $ keytool -export -alias cmhost -keystore example.keystore -rfc -file selfsigned.cer
  5. Copy the self-signed certificate (selfsigned.cer) to the /opt/cloudera/security/x509/ directory.
    $ cp selfsigned.cer /opt/cloudera/security/x509/cmhost.pem
  6. Import the public key into the alternate system truststore (jssecacerts), so that any process that runs with Java on this machine will trust the key. The default password for the Java truststore is changeit. Do not use the password created for the keystore in Step 2.
    $ keytool -import -alias cmhost -file /opt/cloudera/security/jks/selfsigned.cer \
    -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit
  7. Rename the keystore (for example, from example.keystore to cmhost-keystore.jks):
    $ mv /opt/cloudera/security/jks/example.keystore /opt/cloudera/security/jks/cmhost-keystore.jks
    
    You can also delete the certificate (it's already been added to the keystore at /opt/cloudera/security/x509/cmhost.pem).
    $ rm /opt/cloudera/security/selfsigned.cer

You now have the self-signed certificate set up complete, and can continue configuring TLS Level 1 (Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties).