Level 0: Basic TLS/SSL Configuration

Configuring a Cloudera Manager cluster to use TLS for encrypted network and intra-cluster communications is a multi-step process involving many tasks, including using Linux shell commands on the Cloudera Manager Server host system, configuring the Cloudera Manager Agent host's configuration files, and using the Cloudera Manager Admin Console to enable TLS/SSL capabilities. Completing these tasks requires that you have:
  • Privileges as user root (able to sudo) on the hosts that comprise the cluster;
  • Cloudera Manager Admin Console role of Cluster Administrator or Full Administrator.

Cloudera Management Service and TLS/SSL

Configuring TLS/SSL on any server affects how clients interact with that server. For browsers, which communicate over HTTP, TLS/SSL configured on a server host redirects traffic from the HTTP port (7180) to the secure HTTP port, HTTPS (7183). When TLS Level 0 configuration is complete, the Cloudera Management Service roles are enabled for TLS encryption. Similarly, RPC clients are redirected to their secure port.

Cloudera Management Service Roles and HTTPS Communications

Cloudera Management Service is transparently installed during the Cloudera Management Server installation. It is a service available from the Cloudera Manager Admin Console that comprises the monitoring and reporting roles shown in the table below.
HTTPS Client Web servers (HTTPS Service)
Role Cloudera Manager Server Name Node Job Tracker Oozie Impala YARN
Activity Monitor
Host Monitor
Service Monitor
Event Server
Reports Manager

When the cluster starts, these Cloudera Management Service roles connect to the Cloudera Manager Server and access the truststore to validate the Cloudera Manager Server's certificate and complete the TLS/SSL connection.

Level 0 is comprises the preliminary tasks that will be used in subsequent levels. The tasks include: