Enable TLS/SSL Encryption for Cloudera Manager Admin Console

Required Role: Cluster Administrator or Full Administrator

These tasks require you to access the Cloudera Manager Admin Console. These steps assume you have completed Step 1 through Step 6 to Obtain and Deploy Server Certificate. After you complete the steps below, the Cloudera Manager Admin Console is accessible over the HTTPS port, and that the Cloudera Management Service roles can connect to Cloudera Manager Server at startup. Some of the settings also prepare the way for subsequent TLS/SSL levels.

Step 7: Enable HTTPS for the Cloudera Manager Admin Console

This step ensures that browsers connecting the Cloudera Manager Admin Console use the HTTPS port (7183) and encrypts communications between the browser and the server.

  1. Log in to the Cloudera Manager Admin Console.
  2. Select Administration > Settings.
  3. Select the Security category.
  4. Scroll through the settings to the section for TLS encryption settings and enter values for the following:
    Property Description
    Use TLS Encryption for Admin Console Check the box to enable TLS encryption for Cloudera Manager.
    Cloudera Manager TLS/SSL Server JKS Keystore File Location Enter the complete path to the keystore created in Step 3: Generate Server Key and CSR. Replace the example path and filename with your own settings. The example path with example filename are as follows:

    /opt/cloudera/security/pki/cmsrv.example.com.jks

    Cloudera Manager TLS/SSL Server JKS Keystore File Password Enter the password for the keystore.
  5. Click Save Changes to save the settings.

Step 8: Specify TLS/SSL Truststore Properties for Cloudera Management Services

While still logged in to the Cloudera Manager Admin Console:

  1. Select Clusters > Cloudera Management Service.
  2. Click the Configuration tab.
  3. Select Scope > Cloudera Management Service (Service-Wide).
  4. Select Category > Security.
  5. Enter values for the following TLS/SSL properties:
    Property Description
    TLS/SSL Client Truststore File Location Enter the path to the truststore you created for this cluster in Step 2: Create the Java Truststore:

    $JAVA_HOME/jre/lib/security/jssecacerts

    If you leave this field empty, certificates are verified using the default Java truststore, cacerts.
    TLS/SSL Client Truststore File Password Enter the password for the truststore file. If you created jssecaerts from cacerts, the default password is changeit.
  6. Click Save Changes to save the settings.

You must restart both Cloudera Manager Server and the Cloudera Management Service for the system to implement these changes, and to enable the Cloudera Management Service roles (Host Monitor, Service Monitor, and so on) to communicate with Cloudera Manager Server.

Step 9: Restart Cloudera Manager and Services

  1. Restart the Cloudera Manager Server by running service cloudera-scm-server restart on the Cloudera Manager Server host.
  2. After the restart completes, connect to the Cloudera Manager Admin Console:
    https://cm01.example.com:7183

For server certificates signed by an internal CA, configure the browser to explicitly trust the certificate, to avoid seeing the warning prompt each time you connect to Cloudera Manager Admin Console.

From the Cloudera Manager Admin Console:
  1. Select Clusters > Cloudera Management Service.
  2. From the Cloudera Management Service Actions drop-down menu, select Restart.
At the conclusion of Level 0 tasks, the Cloudera Manager cluster is configured for encryption only, between:
  • Browsers and the Cloudera Manager Admin Console
  • Cloudera Management Service roles and Cloudera Manager Server