Manually Configuring TLS Encryption on the Agent Listening Port
The agent listening port (TCP Port 9000) of a Cloudera Manager Agent can be secured with TLS. This port is used for retrieving diagnostic and log information.
The requirements for a Cloudera Manager Agent to enable the agent listening port are
as follows:
- The following properties must be defined in the
config.ini
file of the Cloudera Manager Agent:use_tls=1
,verify_cert_file
,client_cert_file
,client_key_file
, andclient_keypw_file
. - An encryption key must be configured.
- A certificate must be configured.
The main requirement for the Cloudera Manager Server to connect with TLS to the agent listening port is as follows:
The Cloudera Manager TLS/SSL Client Trust Store File property must be
configured to specify the CA certificate using which all the agent certificates
are signed.
To verify whether the agent listening port is secured with TLS, run the
following command:
openssl s_client -connect <hostname>:9000
If the
output of this command includes a server certificate in PEM format, then the
port is secured with TLS.