Considerations for enabling SCM HA security

There are certain factors that you must consider when enabling security for Storage Container Managers (SCMs) in High Availability (HA).

Ensure that you have enabled SCM HA by taking the required factors into consideration.
To configure SCM HA security, ensure that the ozone.scm.ratis.enable property is set to true.
To enable gRPC TLS for the interactions among different elements of the Ozone cluster, such as among the Ozone Manager (OM) nodes or the SCM nodes, set the following property to true: hdds.grpc.tls.enabled.
note
- gRPC TLS configuration for Ozone is supported only on new CDP 7.1.7 clusters and not on clusters upgraded from CDP 7.1.6 to CDP 7.1.7. If you want to enable gRPC TLS on the upgraded CDP 7.1.7 clusters, you must contact Cloudera Support for more information.

important

Before CDP 7.1.9, Ozone’s internal certificates expired after one year and CA certificates expired after five years. When the certificates expire, you must manually renew and revoke them by performing the following steps:

When the Ozone internal SSL certificates expire, you must remove the existing key material and certificates from the services metadata directory and allow the system to regenerate the certificates at startup. To renew the internal certificates, see Procedure to force renew internal certificates.

Since CDP 7.1.9, general service certificates are renewed automatically without the need for a restart or without causing any service disruptions. For more information, see Release Notes.
CA certificates expire after 5 years. Cloudera is working on the automatic renewal of the CA certificates within the system without any disruption, similar to the regular certificates. In case CA certificates expire, you need to follow the same procedure that is required for certificate revocation.

To revoke a certificate, you must remove the full trust chain to stop trusting a compromised certificate. For this, remove the SCM certificates and any other certificates from the system. During the system startup, new certificates are created and distributed. To revoke a certificate, see Certificate revocation.