Cloudera Docs

Configuring SSL/TLS certificate exchange between two Cloudera Manager instances

You must manually set up an SSL/TLS certificate exchange between two Cloudera Manager instances that manage source and target cluster respectively. Replication Manager uses this information to set up the peers for secure data replication.

When the source Cloudera Manager is configured for high availability and is Auto-TLS enabled, the certificate exchange is initiated from the source cluster to the target cluster where the certificate is exported from the load balancer node of the source cluster.

  1. List the contents of the keystore file located in the source cluster Cloudera Manager. 
    /usr/lib/jvm/java-openjdk-11/bin/keytool -list -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -storepass [***PASSWORD***]
  2. Export the certificate contents to the cert.txt file. 
    /usr/java/default/bin/keytool -exportcert -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-0 -file ./cert.txt -storepass [***TRUSTSTORE PASSWORD***]
  3. Copy the cert.txt file to all the hosts of the target cluster Cloudera Manager securely. 
    $ mv cert.txt othercert.txt
$ scp -i [***PEM FILE***] othercert.txt root@[***HOST_IP***]:/home/
  4. Import the certificate into the keystore file on all the hosts of the target cluster Cloudera Manager. 
    /usr/java/default/bin/keytool -importcert -noprompt -v -trustcacerts -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-1 -file ./othercert.txt --storepass [***TRUSTSTORE PASSWORD***]
  5. Run steps 1 and 2 in the target cluster Cloudera Manager, and then copy the cert.txt file to all the hosts in the source cluster Cloudera Manager securely, and import the certificate into the keystore file on all the hosts of the source cluster Cloudera Manager (steps 3 and 4).
  6. Perform this step only for Ozone replication policies.
    Import the S3G CA certificate from the cluster to the local JDK path using the following commands:
    1. Run the following command on all the nodes of the source cluster:
      keytool -importkeystore -destkeystore [***JDK CACERTS LOCATION***] -srckeystore [***CM-AUTO-GLOBAL_TRUSTSTORE.JKS_LOCATION***] -srcalias [***CM ALIAS***]
      For example, 
      keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0
    2. Run the following commands on all the nodes of the target cluster:
      keytool -importkeystore -destkeystore [***JDK CACERTS_LOCATION***] -srckeystore [***CM-AUTO-GLOBAL_TRUSTSTORE.JKS_LOCATION***] -srcalias [***CM ALIAS0***]

      keytool -importkeystore -destkeystore [***JDK CACERTS LOCATION***] -srckeystore [***CM-AUTO-GLOBAL_TRUSTSTORE.JKS_LOCATION***] -srcalias [***CM ALIAS1***]

      For example,
       keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0
keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-1