Configuring TLS/SSL for Apache Atlas

How to configure TLS/SSL for Apache Atlas if you don't choose to use Cloudera Manager's Auto-TLS.

Typically you would configure TLS for Atlas by using Cloudera Manager's Auto-TLS option. If you need to change these settings or want to understand more about the values set by Cloudera Manager, follow these steps.

In Cloudera Manager, select the Atlas service, then click the Configuration tab.
Under Category, select Security.

Set or update the following properties.

Table 1. Apache Atlas TLS/SSL Settings
Grouping	Configuration Property	Description
Turn on TLS	Enable TLS/SSL for Atlas Server `atlas.enableTLS`	Select this check box to encrypt Atlas server communication using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). This option enables TLS for communication between clients and Atlas Server, between the Atlas Server as a client and services it depends on, such as HBase, and between the Atlas Gateway server and Kafka messaging topics. note You must set the value of `atlas.ssl.exclude.protocols` configuration as `TLSv1,TLSv1.1`
Private Key Management	Atlas Server TLS/SSL Server JKS Keystore File Location `keystore.file`	The path to the TLS/SSL keystore file containing the server certificate and private key Atlas uses to prove its own identity when it receives communication from other applications using the public key identified in Atlas Server TLS/SSL Client Trust Store File. The keystore must be in JKS format.
	Atlas Server TLS/SSL Server JKS Keystore File Password `keystore.password`	The password that allows access to the Atlas Server JKS keystore file.
	Atlas Server TLS/SSL Server JKS Keystore File Password `password`	(Optional) The password that protects the Atlas Server private key contained in the JKS keystore.
Public Key Management	Atlas Server TLS/SSL Client Trust Store File `truststore.file`	The path to a TLS/SSL public key trust store file, in `.jks` format, that contains Atlas server public key. This trust store must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of well-known certificate authorities is used instead.
	Atlas Server TLS/SSL Client Trust Store Password `truststore.password`	(Optional) The password for the Atlas Server TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
	Gateway TLS/SSL Client Trust Store File `atlas.kafka.ssl.truststore.location`	The path to the trust store file, in `.jks` format, used to confirm the authenticity of TLS/SSL servers that the Atlas Gateway might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead. Typically, this file is the same file listed in the `truststore.file`.
	Gateway TLS/SSL Client Trust Store Password `atlas.kafka.ssl.truststore.password`	The password for the Gateway TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.

Click Save Changes.
Restart the Atlas service.