Configuring TLS Encryption for Cloudera Manager Using Auto-TLS
Use Auto-TLS to simplify the process of configuring TLS encryption for Cloudera Manager.
The Auto-TLS feature automates all the steps required to enable TLS encryption at a cluster level. Using Auto-TLS, you can let Cloudera manage the Certificate Authority (CA) for all the certificates in the cluster or use the company’s existing CA. In most cases, all the necessary steps can be enabled easily via the Cloudera Manager UI. This feature automates the following processes –
- Creates the root Certificate Authority or a Certificate Signing Request (CSR) for creating an intermediate Certificate Authority to be signed by company’s existing Certificate Authority (CA)
- Generates the CSRs for hosts and signs them automatically
- Creates a keystore and truststore for hosts.
- Deploys the certificates, keystore and truststore to all the hosts in the cluster.
- All the cluster services are then automatically TLS enabled by configuring the keystore and truststore information from a role instance specific directory.
- Enables TLS for Cloudera Manager server and agents.
- After this initial setup, any new service, hosts (or) additional compute clusters setup are automatically TLS enabled by default.
- Provides an automation framework for rotating certificates.
- Use case 1: Using Cloudera Manager to generate an internal CA and corresponding certificates
- Use case 2: Enabling Auto-TLS with an existing Root CA
- Use case 3: Enabling Auto-TLS with existing Certificates
New Cluster deployment
Summary
The Auto-TLS functionality not only speeds up the initial setup of the wire encryption but also automates future TLS configuration steps for the cluster. The following table summarizes the differences between the options described in this blog.
Steps | HDP/EDH (manual) | CDP Private Cloud use case 1 - Using Cloudera Manager to generate an internal CA and corresponding certificates | CDP Private Cloud use case 2 - Enabling Auto-TLS with an existing Root CA | CDP Private Cloud use case 3 - Enabling Auto-TLS with Existing Certificates |
---|---|---|---|---|
Generate CSR | Manual | Automated | Automated | Manual |
CSR Signed by CA | Manual | Automated | One-time | Manual |
Deploy certificate to all hosts | Manual | Automated | Automated | Automated |
Configuration for each service | Manual | Automated | Automated | Automated |
Cluster restarts | Multiple | Once | Once | Once |
Configuration steps | Manual | Automated | Automated | Automated |
New Service steps | Manual | Automated | Automated | Automated |
New Host cert. generation | Manual | Automated | Automated | Manual |
Auto-TLS Requirements and Limitations
- You must install the Cloudera Manager Agent software on the Cloudera Manager Server host.
- You can enable auto-TLS using certificates created and managed by a Cloudera Manager
certificate authority (CA), or certificates signed by a trusted public CA or your own
internal CA. If you want to use a trusted public CA or your own internal CA, you must
obtain all of the host certificates before enabling auto-TLS. For instructions on
obtaining certificates from a CA, see On Each Cluster Host:.
The following services support auto-TLS:
- Atlas
- Cloudera Manager Host Monitor Debug Interface
- Cloudera Manager Service Monitor Debug Interface
- HBase
- HDFS Client Configuration
- HDFS NameNode Web UI
- Hive-on-Tez
- HiveServer2
- HttpFS
- Hue Client
- Hue Load Balancer
- Hue Server
- Impala Catalog Server
- Impala Server
- Impala StateStore
- Java Keystore Key Management Server (KMS)
- Kafka Broker Server
- Kafka Mirrormaker
- Kudu
- Livy
- Oozie
- Phoenix
- Ranger
- Safenet Luna Hardware Security Modules (HSM) KMS
- Solr
- Spark History Server
- YARN Web UI
- Zeppelin
- ZooKeeper
For unlisted services, you must enable TLS manually. See the applicable component guide for more information.
Rotating Auto-TLS Certificate Authority and Host Certificates
Your cluster security requirements may require that you rotate the auto-TLS CA and certificates.
- Navigate to Rotate Auto-TLS Certificates button to launch the wizard. . Click the
- Complete the wizard.
Auto-TLS Agent File Locations
The certificates, keystores, and password files generated by auto-TLS are stored in
/var/lib/cloudera-scm-agent/agent-cert
on each Cloudera Manager Agent.
The filenames are as follows:
Filename | Description |
---|---|
cm-auto-global_cacerts.pem |
CA certificate and other trusted certificates in PEM format |
cm-auto-global_truststore.jks |
CA certificate and other trusted certificates in JKS format |
cm-auto-in_cluster_ca_cert.pem |
CA certificate in PEM format |
cm-auto-in_cluster_truststore.jks |
CA certificate in JKS format |
cm-auto-host_key_cert_chain.pem |
Agent host certificate and private key in PEM format |
cm-auto-host_cert_chain.pem |
Agent host certificate in PEM format |
cm-auto-host_key.pem |
Agent host private key in PEM format |
cm-auto-host_keystore.jks |
Agent host private key in JKS format |
cm-auto-host_key.pw |
Agent host private key password file |