Considerations for enabling SCM HA security

There are certain factors that you must consider when enabling security for Storage Container Managers (SCMs) in High Availability (HA).

Ensure that you have enabled SCM HA by taking the required factors into consideration.
To configure SCM HA security, ensure that the ozone.scm.ratis.enable property is set to true.
To enable gRPC TLS for the interactions among different elements of the Ozone cluster, such as among the Ozone Manager (OM) nodes or the SCM nodes, set the following property to true: hdds.grpc.tls.enabled.
note
- gRPC TLS configuration for Ozone is supported only on new CDP 7.1.7 clusters and not on clusters upgraded from CDP 7.1.6 to CDP 7.1.7. If you want to enable gRPC TLS on the upgraded CDP 7.1.7 clusters, you must contact Cloudera Support for more information.

important

If you are using Runtime 7.1.8 CHF 2 and lower, by default, Ozone’s internal certificates expire after one year and CA certificates expire after five years. When the certificates expire, you must manually renew and revoke them by performing the following steps:

When the Ozone internal SSL certificates expire, you must remove the existing key material and certificates from the services metadata directory and allow the system to regenerate the certificates at startup. To renew the internal certificates, see Procedure to force renew internal certificates.
To revoke a certificate, you must remove the full trust chain to stop trusting a compromised certificate. For this, remove the SCM certificates or any other certificates from the system. During the system startup, new certificates are created and distributed. To revoke a certificate, see Certificate revocation.