Setting up SSL/TLS certificate exchange

In order to replicate data securely, you must configure an SSL/TLS certificate exchange between the two Cloudera Manager instances that manage the source and target clusters.

The following sample commands use the open-jdk-11 java version. Use the Java version that you use in Cloudera clusters in these commands.

  1. List the contents of the trustore file located in the source cluster Cloudera Manager.
    /usr/lib/jvm/java-openjdk-11/bin/keytool -list -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -storepass [***password***]
    The global truststore password is available in the /etc/hadoop/conf/ssl-client.xml file.
  2. Export the certificate contents to the cert.txt file.
    /usr/java/default/bin/keytool -exportcert -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-0 -file ./cert.txt -storepass [***truststore_pass***]                        
  3. Copy the cert.txt file to all the hosts of the destination cluster Cloudera Manager securely.
    $ mv cert.txt othercert.txt
    $ scp                       
  4. Import the certificate into the trustore file on all the hosts of the destination cluster Cloudera Manager.
    /usr/java/default/bin/keytool -importcert -noprompt -v -trustcacerts -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-1 -file ./othercert.txt --storepass [***truststore_password***]
  5. Run steps 1 and 2 in the target cluster Cloudera Manager, and then copy the cert.txt file to all the hosts in the source cluster Cloudera Manager securely, and import the certificate into the trustore file on all the hosts of the source cluster Cloudera Manager (steps 3 and 4).