Distributing certificates to access S3 endpoint

Distribute Amazon certificates to the required truststores to enable secure communication with Amazon S3 endpoints. This process requires importing necessary certificates into the Cloudera Manager global truststore and in Java cacerts files to ensure TLS handshake success across the environment.

Perform the following steps to add Amazon certificates to the required truststores, including the Java cacerts file:

Add Amazon certificates into the truststore.
1. Download Amazon Trust Services certificates from https://www.amazontrust.com/repository/ to the truststore files in both JKS and PEM formats.
  note
  If you are using the Cloudera Manager Auto-TLS feature, you need to follow step b. If you are managing TLS manually, you need to follow step c.
  note
  For an Amazon S3-compatible object storage endpoint, generate a certificate in PEM format using OpenSSL as follows:
  openssl s_client -connect s3.myobjstore.com:443 <<<'' | openssl x509 -out /tmp/s3-endpoint.pem
2. If you are using a Cloudera Manager managed truststore, you need to update the cm-auto-global_truststore.jks and cm-auto-global_cacerts.pem files.
  1. Create a combined certificate file of AmazonRootCA1.pem, AmazonRootCA2.pem, AmazonRootCA3.pem, AmazonRootCA4.pem, and SFSRootCAG2.pem files:
```
cat AmazonRootCA1.pem AmazonRootCA2.pem AmazonRootCA3.pem AmazonRootCA4.pem SFSRootCAG2.pem >> AmazonCombineCacerts.pem
```
  2. Go to Cloudera Manager > Administration > Security.
  3. Click Update Auto-TLS Truststore.
  4. Upload the combined AmazonCombineCacerts.pem certificate file, and click Save.
    
    Cloudera Manager will start the Update The Global Truststore commands on all the managed hosts. These commands update the cm-auto-global_truststore.jks and cm-auto-global_cacerts.pem files containing the required Amazon Trust Services certificates.
    note
    If you are using the Auto-TLS feature, you need to upload the certificate into the Cloudera Manager managed truststore for an Amazon S3-compatible object storage endpoint. To do so, follow step b described above.
    If you have multiple certificates to upload, create a single PEM format certificate by combining all the individual certificates, and upload it from Cloudera Manager.
3. If you are managing TLS settings manually, update the managed truststore files in the cluster manually by using the Java keytool command.
Add the Amazon Trust Services certificates into the java cacerts keystore.

If you are using Java 17, you can skip this step.
note
For an Amazon S3-compatible object storage endpoint, you must add the required endpoint certificate to the Java cacerts keystore. If multiple certificates are needed for your endpoint, add each certificate individually.
Export the Cloudera Manager CA global truststore into Java cacerts if you are using Cloudera Manager Auto-TLS.

note
If you are managing TLS settings manually, then update the Java cacerts to include the CA certificate used for creating the manual keystore.
1. Run the following command on the Cloudera Manager server host:
```
${JAVA_HOME}/bin/keytool -exportcert -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -storepass <TRUSTSTORE-PASSWORD> -alias cmrootca-0 -file /tmp/cm-truststore.cer

${JAVA_HOME}/bin/keytool -import -file /tmp/cm-truststore.cer -alias cm-truststore -keystore <JAVA-CACERTS-PATH> -storepass changeit
```
2. Copy the updated Java cacerts to the other Cloudera Manager-managed hosts.