Configuring TLS/SSL Encryption for CDH Services

In addition to configuring Cloudera Manager cluster to use TLS/SSL (as detailed, starting with Configuring Cloudera Manager Clusters for TLS/SSL), the various CDH services running on the cluster should also be configured to use TLS/SSL. The process of configuring TLS/SSL varies by component, so follow the steps below as needed for your system. Before trying to configure TLS/SSL, however, be sure your cluster meets prerequisites.

In general, all the roles on any given node in the cluster can use the same certificates, assuming the certificates are in the appropriate format (JKS, PEM) and that the configuration properly points to the location. If you follow the steps in How to Configure TLS Encryption for Cloudera Manager to create your CSRs and use the symbolic link for the path to the certificates, you will be setting up the certificates in the cluster for optimal reuse.

Not all components support TLS/SSL, nor do all external engines support TLS/SSL. Unless explicitly listed in this guide, the component you want to configure may not currently support TLS/SSL. For example, Sqoop does not currently support TLS/SSL to Oracle, MySQL, or other databases.

Prerequisites

Cloudera recommends that the cluster and all services use Kerberos for authentication. If you enable TLS/SSL for a cluster that has not been configured to use Kerberos, a warning displays. You should integrate the cluster with your Kerberos deployment before proceeding.

The steps below require the cluster to have been configured to a minimum of TLS Level 2, to ensure that Cloudera Manager Server certificate and Cloudera Manager Agent certificates are properly configured and already in place. In addition, you should have the certificates and keys needed by the specific CDH server ready.

If the cluster meets these requirements, you can configure the specific CDH service to use TLS/SSL, as detailed in this section.