Auto-TLS Requirements and Limitations

Reference information for Auto-TLS requirements, limitations, and component support.


  • You must install the Cloudera Manager Agent software on the Cloudera Manager Server host.
  • You can enable auto-TLS using certificates created and managed by a Cloudera Manager certificate authority (CA), or certificates signed by a trusted public CA or your own internal CA. If you want to use a trusted public CA or your own internal CA, you must obtain all of the host certificates before enabling auto-TLS. For instructions on obtaining certificates from a CA, see Manually Configuring TLS Encryption for Cloudera Manager>On Each Cluster Host.

Component support for Auto-TLS

The following CDP services support auto-TLS:
  • Atlas
  • Cloudera Manager Host Monitor Debug Interface
  • Cloudera Manager Service Monitor Debug Interface
  • Cruise Control
  • HBase
  • HDFS Client Configuration
  • HDFS NameNode Web UI
  • Hive-on-Tez
  • HiveServer2
  • HttpFS
  • Hue Client
  • Hue Load Balancer
  • Hue Server
  • Impala Catalog Server
  • Impala Server
  • Impala StateStore
  • Java Keystore Key Management Server (KMS)
  • Kafka Broker Server
  • Kafka Mirrormaker
  • Knox
  • Kudu
  • Livy
  • Oozie
  • Ozone
  • Phoenix
  • Ranger
  • Safenet Luna Hardware Security Modules (HSM) KMS
  • Schema Registry
  • Solr
  • Spark History Server
  • Streams Messaging Manager
  • Streams Replication Manager
  • YARN Web UI
  • Zeppelin
  • ZooKeeper

For unlisted CDP services, you must enable TLS manually. See the applicable component guide for more information.


  • It is not possible to rename hostnames of cluster nodes in an Auto-TLS setup.