TLS keys and certificates

When using Cloudera Edge Management (CEM), sensitive information are sent over the network between Edge Flow Manager (EFM) and MiNiFi agents including configuration files that contain passwords. To secure this transfer, you must configure Transport Layer Security (TLS) encryption.

TLS is an industry standard set of cryptographic protocols for securing communications over a network.

Configuring TLS involves creating a private key and a public key for use by server and client processes to negotiate an encrypted connection. In addition, TLS can use certificates to verify the trustworthiness of keys presented during the negotiation to prevent spoofing and mitigate other potential security issues.

Because TLS keys and certificates are usually specific to each enterprise organization, CEM needs these details manually configured.

To secure CEM through TLS, you need the following:

  • A Certificate Authority (CA) or intermediate signing authority public certificate, used to sign certificates and verify trust. EFM uses this certificate in its truststore in order to verify the identity of MiNiFi agents by validating their certificates. MiNiFi agents use this certificate in their truststores in order to verify the identity of the EFM servers by validating their certificates.

  • A public and private keypair for EFM signed by the CA, recommended one per host when doing a cluster deployment.

  • A public and private keypair for MiNiFi agents signed by the CA, recommended one per agent.

Before configuring TLS, ensure that the certificates used meet the requirements.

Certificate requirements

  • The EFM KeyStore must be in Java KeyStore (JKS) or PKCS #12 (PKCS12 aka .p12) format.

  • The EFM KeyStore must contain only one private key entry.

  • The X509v3 KeyUsage section of the certificate must include the following attributes:
    • DigitalSignature

    • Key_Encipherment

  • The X509v3 ExtendedKeyUsages section of EFM and MiNiFi agent certificates must include the following attributes:
    • clientAuth

    • serverAuth

  • The signature algorithm used for certificates must be sha256WithRSAEncryption (SHA-256).

  • For EFM certificates, Subject Alternate Names (SANs) are mandatory and should at least include the FQDN of the host.

  • Additional names for the certificate and host can be added to the certificate as SANs.
    • Add the FQDN used for the Common Name (CN) as a DNS SAN entry.

    • If you are planning to use a load balancer for an EFM cluster, include the FQDN for the load balancer as a DNS SAN entry.

Cloudera recommends the following security protocols:

  • Use certificates that are signed by a CA. Do not issue self-signed certificates.

  • Generate a unique certificate per host, including MiNiFi agents. Do not use wildcard certificates.