Configuring a Secure Credential Storage Provider for Cloudera Manager

Steps to configure Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).

Minimum Required Role: Full Administrator. This feature is not available when using Cloudera Manager to manage Data Hub clusters.

  1. If you are using the Vault, install and configure the Vault on a host with network connectivity to the Cloudera Manager server:
    1. Install and configure the Vault from Hashicorp.
    2. Configure TLS.
    3. Enable the Vault secrets engine at a path that will be dedicated to Cloudera Manager’s use. Any Vault secrets engine is supported. See https://www.vaultproject.io/docs/secrets for more information. For example, the following enables a kv type secrets engine at path cm-secrets/:
      vault cm-secrets enable -path=secret kv
    4. A certificate authentication method must be configured at the path certs/cert1. This is how Cloudera Manager will authenticate with Vault. The method must have a policy that allows Create/Update/List/Read/Delete at the applicable secrets path. See https://www.vaultproject.io/docs/auth/cert for more information on certificate authentication and https://www.vaultproject.io/docs/concepts/policies for more information on vault policies.
      Example setup:
      vault auth enable cert 1
      vault write auth/cert/certs/cert1 display_name=example policies=example-policy certificate=@your-ca-cert.pem 
      Example policy:
      path "cm-secrets/*" 
      {
       capabilities = ["create", "read", "update", "list", "delete"] 
      } 
    5. The Vault must be unsealed by the user whenever Cloudera Manager is running. See https://www.vaultproject.io/docs/concepts/seal for instructions on unsealing Vault.
  2. Configure the Secure Credential Store in Cloudera Manager:
    1. Open the Cloudera Manager Admin Console.
    2. Go to Administration and select the Security category.
    3. Select Enable Credential Storage to enable CSP. Under Credential Storage Provider Type, choose one of the following :
      • Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.
      • Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends using Vault from Hashicorp.
      If you select Embedded as Credential Storage Provider Type, then you may configure the following parameter if necessary:
      • Storage Path – Using this paramater you can configure the storage path for the file where you can store the encryption key.
      If you select Vault as Credential Storage Provider Type, then configure the following parameters:
      • Vault Address – enter the URL of the host where you install the Vault.
      • Secret Store Path – It specifies a path on the host where Vault stores the credentials. You cannot use this specified directory for any other purpose.
    4. Click Save Changes.
  3. Upload the following certificates, by copying them to the Cloudera Manager server host to the default directory location /opt/cloudera/csp-data, using the exact file name shown below, or you can use the Cloudera Manager API to upload the certificates using the CspResource endpoint. You can use the Cloudera Manager API Explorer to do this. Go to Support > API Explorer .
    Certificate File name on the Cloudera Manager Host
    Certificate authority csp-ca.pem
    Client certificate csp-client.pem
    Client key csp-client.key
Sensitive information is now encrypted in the Cloudera Manager database.