Configuring TLS/SSL encryption manually for Ozone

You can use Cloudera Manager to configure TLS/SSL encryption for all the Ozone role instances such as Ozone Manager, Storage Container Manager, DataNode, S3 Gateway and Recon. Cloudera recommends that you configure TLS/SSL for all the Ozone role instances to avoid errors when one role instance tries to connect with another.

You must ensure that your Ozone deployment meets the following requirements:

The keystores containing certificates that are bound to the proper domain names are accessible on all the hosts on which at least one Ozone role instance is running.
The hdfs user has read permissions to the keystore files for Ozone.
You must specify absolute paths to the keystore file. These settings apply to all hosts on which the various Ozone role instances run. Therefore, the paths that you specify must be valid on all the hosts. In addition, the keystore file names for Ozone must be the same on all hosts.
Consider an example where you have separate certificates for the Ozone role instances on hosts node1.example.com and node2.example.com, and you have chosen to store the certificates in files with names ozone-node1.jks and ozone-node2.jks respectively. When deploying these keystores, you must provide them both with the same name on the target host, for example, ozone.jks.

Log in to Cloudera Manager.
Navigate to Clusters.
Select the Ozone service.
Click Configurations.
Search for tls/ssl.
Enter the TLS/SSL properties for the various Ozone roles.
Provide the values for the properties corresponding to the following fields on the Ozone configuration page:
- Enable TLS/SSL for Ozone Manager
- Ozone Manager TLS/SSL Server JKS Keystore File Location
- Ozone Manager TLS/SSL Server JKS Keystore File Password
- Ozone Manager TLS/SSL Server JKS Keystore Key Password
- Enable TLS/SSL for Storage Container Manager
- Storage Container Manager TLS/SSL Server JKS Keystore File Location
- Storage Container Manager TLS/SSL Server JKS Keystore File Password
- Storage Container Manager TLS/SSL Server JKS Keystore Key Password
- Enable TLS/SSL for Ozone DataNode
- Ozone DataNode TLS/SSL Server JKS Keystore File Location
- Ozone DataNode TLS/SSL Server JKS Keystore File Password
- Ozone DataNode TLS/SSL Server JKS Keystore Key Password
- Enable TLS/SSL for Ozone Recon
- Ozone Recon TLS/SSL Server JKS Keystore File Location
- Ozone Recon TLS/SSL Server JKS Keystore File Password
- Ozone Recon TLS/SSL Server JKS Keystore Key Password
- Enable TLS/SSL for S3 Gateway
- S3 Gateway TLS/SSL Server JKS Keystore File Location
- S3 Gateway TLS/SSL Server JKS Keystore File Password
- S3 Gateway TLS/SSL Server JKS Keystore Key Password
- CA File Path
  note
  Ensure that you configure the ozone.prometheus.ca.file property when configuring TLS/SSL encryption for Ozone. If the location of the root CA certificate is not specified, the location of the auto-TLS CA certificate is considered as the default value for this property.
Click Save Changes and restart the Ozone service.