Configuring TLS encryption manually for Apache Atlas

Configuring Apache Atlas Transport Layer Security (TLS) involves both one-way (server authentication) and two-way (server and client authentication).

  1. Create a keystore file:
    cd /usr/jdk64/jdk1.8.0_112/bin/
    keytool -genkey -alias serverkey -keypass <keypass> -keyalg RSA 
    -sigalg SHA1withRSA -keystore atlas.keystore -storepass <keypass> 
    -validity 3650 -dname "CN=Nicola Marangoni, OU=PS, O=Hortonworks, 
    L=Munich, ST=BY, C=DE"
  2. Select Atlas > Configs > Advanced, and select Advanced application-properties and set the following properties:
    Property Value Description
    atlas.enableTLS true Enable or disable TLS listener. Set this value to true to enable TLS (default value is false).

    Add the following properties by selecting Custom application-properties > Add Property.

    Property Value Description
    keystore.file /home/atlas/atlas.keystore The path to the keystore file leveraged by the server. This file contains the server certificate.
    truststore.file /home/atlas/atlas.keystore The path to the truststore file. This file contains the certificates of other trusted entities (for example, the certificates for client processes if two-way TLS is enabled). In most instances this can be set to the same value as the keystore.file property (especially if one-way TLS is enabled).
    atlas.ssl.exclude.cipher.suites .*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.* The excluded Cipher Suites list - .*NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are excluded by default. If additional Ciphers need to be excluded, set this property with the default Cipher Suites such as .*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*, and add the additional Cipher Suites to the list with a comma separator. They can be added with their full name or a regular expression. The Cipher Suites listed in the atlas.ssl.exclude.cipher.suites property take precedence over the default Cipher Suites. You should retain the default Cipher Suites, and add additional ones to increase security.

    The default HTTP port is 31000 and the default HTTPS port is 31443. These values can be overridden using the atlas.server.http.port and atlas.server.https.port properties, respectively.

  3. Select Actions > Restart on the Cloudera Manager instance to restart all services.

    If you disable Atlas TLS, you must clear your browser cookies to log in to the Atlas UI using HTTP request headers.