You can use Cloudera Manager to configure TLS/SSL encryption for all the Ozone role
instances such as Ozone Manager, Storage Container Manager, DataNode, S3 Gateway and Recon.
Cloudera recommends that you configure TLS/SSL for all the Ozone role instances to avoid
errors when one role instance tries to connect with another.
You must ensure that your Ozone deployment meets the
following requirements:
The keystores containing certificates that are bound to the proper domain names
are accessible on all the hosts on which at least one Ozone role instance is
running.
The hdfs user has read permissions to the keystore files for
Ozone.
You must specify absolute paths to the keystore file. These settings apply to
all hosts on which the various Ozone role instances run. Therefore, the paths
that you specify must be valid on all the hosts. In addition, the keystore file
names for Ozone must be the same on all hosts.
Consider an example
where you have separate certificates for the Ozone role instances on hosts
node1.example.com and
node2.example.com, and you have chosen to store the
certificates in files with names ozone-node1.jks and
ozone-node2.jks respectively. When deploying these
keystores, you must provide them both with the same name on the target host,
for example, ozone.jks.
In Cloudera Manager, go to Ozone > Configuration.
Search for tls/ssl.
Enter the TLS/SSL properties for the various Ozone roles.
Provide the values for the properties corresponding to the following fields on
the Ozone configuration page:
Enable TLS/SSL for Ozone Manager
Ozone Manager TLS/SSL Server JKS Keystore File
Location
Ozone Manager TLS/SSL Server JKS Keystore File
Password
Ozone Manager TLS/SSL Server JKS Keystore Key Password
Enable TLS/SSL for Storage Container Manager
Storage Container Manager TLS/SSL Server JKS Keystore File
Location
Storage Container Manager TLS/SSL Server JKS Keystore File
Password
Storage Container Manager TLS/SSL Server JKS Keystore Key
Password
Enable TLS/SSL for Ozone DataNode
Ozone DataNode TLS/SSL Server JKS Keystore File
Location
Ozone DataNode TLS/SSL Server JKS Keystore File Password
Ozone DataNode TLS/SSL Server JKS Keystore Key
Password
Enable TLS/SSL for Ozone Recon
Ozone Recon TLS/SSL Server JKS Keystore File
Location
Ozone Recon TLS/SSL Server JKS Keystore File
Password
Ozone Recon TLS/SSL Server JKS Keystore Key
Password
Enable TLS/SSL for S3 Gateway
S3 Gateway TLS/SSL Server JKS Keystore File
Location
S3 Gateway TLS/SSL Server JKS Keystore File
Password
S3 Gateway TLS/SSL Server JKS Keystore Key
Password