Use case 1: Use Cloudera Manager to generate internal CA and corresponding certificates

Use Cloudera Manager to create and manage its own Certificate Authority.

  1. To choose this option, from Cloudera Manager go to Administration > Security > (Status tab) > Enable Auto-TLS. The Enable Auto-TLS page comes up.
  2. In the Trusted CA Certificates Location field in the Generate CA section, enter the path to a PEM file on the Cloudera Manager host which contains a list of root CA certificates that should be imported into the truststores of all hosts. This is an optional field.
  3. From the Enable TLS for: options, select All existing and future clusters to enable Auto-TLS for all existing and future clusters, or select Future clusters only to enable Auto-TLS for future clusters only.
  4. Select the required SSH Username option. The available options are root and Another user.
  5. Select the required Authentication Method. You can either enable all hosts to accept the same password or you can enable all hosts to accept the same private key.
  6. Enter the password in the Password field and verify the SSH Port number.
  7. Click Next.
You are prompted to start Cloudera Manager, followed by Cloudera management services and any impacted clusters. When you start the Cloudera Manager server, you should see the UI at the TLS port 7183 by default. The browser displays a self-signed certificate from the SCM Local CA authority, as shown below. The browser displays a warning because it is not aware of the Root CA generated by Cloudera Manager. When the Root CA is imported into the client browser’s truststore, this warning is not displayed by the browser.
When you set up the cluster, you should see a message stating that Auto-TLS is already enabled. Continue to install the required services. The whole cluster is TLS encrypted. Any new hosts or services are automatically configured. Here is an example of HDFS service with TLS encryption enabled by default (after trusting the root certificate generated by Cloudera Manager).
While this option is the simplest, it may not be suitable for some enterprise deployments where TLS certificates are issued by the company’s existing Certificate Authority (CA) to maintain a centralized chain of trust.

Rotate Auto-TLS Certificate Authority and Host Certificates

Your cluster security requirements may require that you rotate the Auto-TLS CA and certificates.
  1. Navigate to Administration > Security.
  2. Click the Rotate Auto-TLS Certificates button to launch the wizard.
  3. Complete the wizard.