Configuring TLS/SSL for Apache Atlas

How to configure TLS/SSL for Apache Atlas if you don't choose to use Cloudera Manager's Auto-TLS.

Typically you would configure TLS for Atlas by using Cloudera Manager's Auto-TLS option. If you need to change these settings or want to understand more about the values set by Cloudera Manager, follow these steps.
  1. In Cloudera Manager, select the Atlas service, then click the Configuration tab.
  2. Under Category, select Security.
  3. Set or update the following properties.
    Table 1. Apache Atlas TLS/SSL Settings
    Grouping Configuration Property Description
    Turn on TLS

    Enable TLS/SSL for Atlas Server

    atlas.enableTLS

    Select this check box to encrypt Atlas server communication using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). This option enables TLS for communication between clients and Atlas Server, between the Atlas Server as a client and services it depends on, such as HBase, and between the Atlas Gateway server and Kafka messaging topics.
    Private Key Management Atlas Server TLS/SSL Server JKS Keystore File Location

    keystore.file

    The path to the TLS/SSL keystore file containing the server certificate and private key Atlas uses to prove its own identity when it receives communication from other applications using the public key identified in Atlas Server TLS/SSL Client Trust Store File. The keystore must be in JKS format.
    Atlas Server TLS/SSL Server JKS Keystore File Password

    keystore.password

    The password that allows access to the Atlas Server JKS keystore file.
    Atlas Server TLS/SSL Server JKS Keystore File Password

    password

    The password that protects the Atlas Server private key contained in the JKS keystore.
    Public Key Management Atlas Server TLS/SSL Client Trust Store File

    truststore.file

    The path to a TLS/SSL public key trust store file, in .jks format, that contains Atlas server public key. This trust store must contain the certificate(s) used to sign the connected service(s). If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    Atlas Server TLS/SSL Client Trust Store Password

    truststore.password

    (Optional) The password for the Atlas Server TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
    Gateway TLS/SSL Client Trust Store File

    atlas.kafka.ssl.truststore.location

    The path to the trust store file, in .jks format, used to confirm the authenticity of TLS/SSL servers that the Atlas Gateway might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.

    Typically, this file is the same file listed in the truststore.file.

    Gateway TLS/SSL Client Trust Store Password

    atlas.kafka.ssl.truststore.password

    The password for the Gateway TLS/SSL Certificate trust store file. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
  4. Click Save Changes.
  5. Restart the Atlas service.