Auto-TLS Requirements and Limitations
Reference information for Auto-TLS requirements, limitations, and component support.
Requirements
- You must install the Cloudera Manager Agent software on the Cloudera Manager Server host.
- You can enable auto-TLS using certificates created and managed by a Cloudera
Manager certificate authority (CA), or certificates signed by a trusted
public CA or your own internal CA. If you want to use a trusted public CA or
your own internal CA, you must obtain all of the host certificates before
enabling auto-TLS.
For instructions on obtaining certificates from a CA, see
Manually Configuring TLS Encryption for Cloudera Manager
>On Each Cluster Host
.
Component support for Auto-TLS
The following CDP services support auto-TLS:
- Atlas
- Cloudera Manager Host Monitor Debug Interface
- Cloudera Manager Service Monitor Debug Interface
- Cruise Control
- HBase
- HDFS Client Configuration
- HDFS NameNode Web UI
- Hive-on-Tez
- HiveServer2
- HttpFS
- Hue Client
- Hue Load Balancer
- Hue Server
- Impala Catalog Server
- Impala Server
- Impala StateStore
- Java Keystore Key Management Server (KMS)
- Kafka Broker Server
- Kafka Mirrormaker
- Knox
- Kudu
- Livy
- Oozie
- Ozone
- Phoenix
- Ranger
- Safenet Luna Hardware Security Modules (HSM) KMS
- Schema Registry
- Solr
- Spark History Server
- Streams Messaging Manager
- Streams Replication Manager
- YARN Web UI
- Zeppelin
- ZooKeeper
For unlisted CDP services, you must enable TLS manually. See the applicable component guide for more information.
Limitations
- It is not possible to rename hostnames of cluster nodes in an Auto-TLS setup.