Manually Configuring TLS Encryption for Cloudera Manager
How to manually enable TLS encryption and certificate authentication for Cloudera Manager.
When you configure authentication and authorization on a cluster, Cloudera Manager Server sends sensitive information over the network to cluster hosts, such as Kerberos keytabs and configuration files that contain passwords. To secure this transfer, you must configure TLS encryption between Cloudera Manager Server and all cluster hosts.
TLS encryption is also used to secure client connections to the Cloudera Manager Admin Interface, using HTTPS.
Cloudera Manager also supports TLS authentication. Without certificate authentication, a malicious user can add a host to Cloudera Manager by installing the Cloudera Manager Agent software and configuring it to communicate with Cloudera Manager Server. To prevent this, you must install certificates on each agent host and configure Cloudera Manager Server to trust those certificates.
This guide shows how to configure and enable TLS encryption and certificate authentication for Cloudera Manager. The provided examples use an internal certificate authority (CA) to sign all TLS certificates, so this guide also shows you how to establish trust with the CA. (For certificates signed by a trusted public CA, establishing trust is not necessary, because the Java Development Kit (JDK) already trusts them.)
Generate TLS Certificates
The following procedure assumes that an internal certificate authority (CA) is used, and shows how to establish trust for that internal CA. If you are using a trusted public CA (such as Symantec, GeoTrust, Comodo, and others), you do not need to explicitly establish trust for the issued certificates, unless you are using an older JDK and a newer public CA. Older JDKs might not trust newer public CAs by default.
On Each Cluster Host:
Complete the following steps on each cluster host, including the Cloudera Manager Server host.
On the Cloudera Manager Server Host
sudo ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/server.jks
Configure TLS for the Cloudera Manager Admin Console
Minimum Required Role: Cluster Administrator (also provided by Full Administrator) This feature is not available when using Cloudera Manager to manage Data Hub clusters.
Use the following procedure to enable TLS encryption for the
Cloudera Manager Server admin interface. Make sure you have generated the host certificate
as described in Manually Configuring TLS Encryption for Cloudera Manager
>On Each
Cluster Host
.
Step 1: Enable HTTPS for the Cloudera Manager Admin Console
Step 2: Specify SSL Truststore Properties for Cloudera Management Services
When enabling TLS for the Cloudera Manager Server admin interface, you must set the Java truststore location and password in the Cloudera Management Services configuration. Otherwise, roles such as Host Monitor and Service Monitor cannot connect to Cloudera Manager Server and will not start.
Configure the path and password for the
$JAVA_HOME/jre/lib/security/jssecacerts
truststore that you created
earlier. Make sure that you have created this file on all hosts, including the Cloudera
Management Service hosts, as instructed in Manually Configuring TLS Encryption for
Cloudera Manager
>On Each Cluster Host
.
Step 3: Restart Cloudera Manager and Services
You must restart both Cloudera Manager Server and the Cloudera Management Service for TLS encryption to work. Otherwise, the Cloudera Management Services (such as Host Monitor and Service Monitor) cannot communicate with Cloudera Manager Server.
Configure TLS for Cloudera Manager Agents
Minimum Required Role: Cluster Administrator (also provided by Full Administrator) This feature is not available when using Cloudera Manager to manage Data Hub clusters.
Use the following procedure to encrypt the communication between Cloudera Manager Server and Cloudera Manager Agents:
Step 1: Enable TLS Encryption for Agents in Cloudera Manager
Configure the TLS properties for Cloudera Manager Agents.
- Log in to the Cloudera Manager Admin Console.
- Select .
- Select the Security category.
- Select the Use TLS Encryption for Agents option.
- Enter a Reason for Change, then click Save Changes to save the settings.
Step 2: Enable TLS on Cloudera Manager Agent Hosts
To enable TLS between the Cloudera Manager agents and Cloudera Manager, you must
specify values for the TLS properties in the
/etc/cloudera-scm-agent/config.ini
configuration file on all agent
hosts.
/etc/cloudera-scm-agent/config.ini
configuration
file and set the use_tls
parameter in the [Security]
section as follows:
use_tls=1
Alternatively, you can edit the config.ini
file on one host, and
then copy it to the other hosts because this file by default does not contain
host-specific information. If you have modified properties such as
listening_hostname
or listening_ip address
in
config.ini
, you must edit the file individually on each host.
Step 3: Restart Cloudera Manager Server and Agents
Step 4: Verify that the Cloudera Manager Server and Agents are Communicating
In the Cloudera Manager Admin Console, go to Last Heartbeat column after restarting the agents, TLS encryption is working properly.
. If you see successful heartbeats reported in theEnable Server Certificate Verification on Cloudera Manager Agents
Minimum Required Role: Cluster Administrator (also provided by Full Administrator) This feature is not available when using Cloudera Manager to manage Data Hub clusters.
If you have completed the previous sections, communication between Cloudera Manager server and the agents is encrypted, but the certificate authenticity is not verified. For full security, you must configure the agents to verify the Cloudera Manager server certificate. If you are using a server certificate signed by an internal certificate authority (CA), you must configure the agents to trust that CA:
Configure Agent Certificate Authentication
Step 1: Export the Private Key to a File
On each Cloudera Manager Agent host, use the keytool
utility to export
the private key and certificate to a PKCS12
file, which can then be
split up into individual key and certificate files using the openssl
command:
Step 2: Create a Password File
The Cloudera Manager agent obtains the password from a text file, not from a command line parameter or environment variable. The password file allows you to use file permissions to protect the password. For example, run the following commands on each Cloudera Manager Agent host, or run them on one host and copy the file to the other hosts:
Create and secure the file containing the password used to protect the private key of the Agent:
Step 3: Configure the Agent to Use Private Keys and Certificates
/etc/cloudera-scm-agent/config.ini
configuration file, uncomment and
edit the following properties:Property | Example Value | Description |
---|---|---|
client_key_file |
/opt/cloudera/security/pki/agent.key |
Path to the private key file. |
client_keypw_file |
/etc/cloudera-scm-agent/agentkey.pw |
Path to the private key password file. |
client_cert_file |
/opt/cloudera/security/pki/agent.pem |
Path to the client certificate file. |
Copy the file to all other cluster hosts. If you have modified properties such as
listening_hostname
or listening_ip address
in
config.ini
, you must edit the file individually on each host.
Step 4: Enable Agent Certificate Authentication
Step 5: Restart Cloudera Manager Server and Agents
Step 6: Verify that Cloudera Manager Server and Agents are Communicating
In the Cloudera Manager Admin Console, go to Last
Heartbeat column after restarting the agents and server, TLS certificate
authentication is working properly. If not, check the agent log
(/var/log/cloudera-scm-agent/cloudera-scm-agent.log
) for errors.
For example, you might see the following error:
WrongHost: Peer certificate commonName does not match host, expected 192.0.2.155, got cdh-1.example.com
[02/May/2018 15:04:15 +0000] 4655 MainThread agent ERROR Heartbeating to 192.0.2.155:7182 failed
For this scenario, make sure that your DNS and /etc/hosts
file are
configured correctly, and that your server_host
parameter in
/etc/cloudera-scm-agent/config.ini
uses the Cloudera Manager Server
hostname, and not IP address.