Configuring a Secure Credential Storage Provider for Cloudera Manager (Technical Preview)

Steps to configure Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).

Minimum Required Role: Full Administrator. This feature is not available when using Cloudera Manager to manage Data Hub clusters.

IMPORTANT – You must complete all of the steps below, including uploading the certificates, before the final step to restart the Cloudera Manager server. Failure to do so will mean that you will not be able to restart the Cloudera Manager server.
  1. If you are using the Vault, install and configure the Vault on a host with network connectivity to the Cloudera Manager server:
    1. Install and configure the Vault from Hashicorp.
    2. Configure TLS.
    3. Enable the Vault secrets engine at a path that will be dedicated to Cloudera Manager’s use. Any Vault secrets engine is supported. See for more information. For example, the following enables a kv type secrets engine at path cm-secrets/:
      vault cm-secrets enable -path=secret kv
    4. A certificate authentication method must be configured at the path certs/cert1. This is how Cloudera Manager will authenticate with Vault. The method must have a policy that allows Create/Update/List/Read/Delete at the applicable secrets path. See for more information on certificate authentication and for more information on vault policies.
      Example setup:
      vault auth enable cert 1
      vault write auth/cert/certs/cert1 display_name=example policies=example-policy certificate=@your-ca-cert.pem 
      Example policy:
      path "cm-secrets/*" 
       capabilities = ["create", "read", "update", "list", "delete"] 
    5. The Vault must be unsealed by the user whenever Cloudera Manager is running. See for instructions on unsealing Vault.
  2. Configure the Secure Credential Store in Cloudera Manager:
    1. Open the Cloudera Manager Admin Console.
    2. Go to Administration > Settings and select the Security category.
    3. Select the Credential Storage Provider Type. Choose one of the following:
      • None – Sensitive information is not encrypted in the Cloudera Manager database.
      • Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends Vault from Hashicorp.
      • Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.
  3. If you selected Vault, configure the following parameters:
    • Credential Storage Provider Address – enter the URL of the host where the Vault is installed.
    • Secrets Store Path – the path, on the host where the Vault is installed where credentials are written. The directory specified here must not be used for anything else.
    • Credential Storage Provider Storage Path – the location on the Cloudera Manager server host where certificates for the Vault are stored. You can keep the default location of /opt/cloudera/csp-data or change it if needed.
  4. Upload the following certificates, by copying them to the Cloudera Manager server host to the directory specified with the Credential Storage Provider Storage Path parameter, using the exact file name shown below, or you can use the Cloudera Manager API to upload the certificates using the CspResource endpoint. (You can use the Cloudera Manager API Explorer to do this. Go to Support > API Explorer .
    Certificate File name on the Cloudera Manager Host
    Certificate authority csp-ca.pem
    Client certificate csp-client.pem
    Client key csp-client.key
  5. Restart the Cloudera Manager Server:
    sudo service cloudera-scm-server restart
Sensitive information is now encrypted in the Cloudera Manager database.