Cloudera Docs

TLS configuration for EFM

Learn about the properties that you need to set to configure TLS for Edge Flow Manager (EFM).

When TLS is disabled, EFM runs in an unsecured mode where the web endpoints are accessible over HTTP on all network interfaces and clients are not authenticated. When unsecured, all clients are anonymous and have full access to the application. For this reason, insecure mode should only be used for test or development purposes and when EFM is not accessible through the public Internet.

Limiting the network interfaces that the web server binds to is configurable in the efm.properties file.
efm.web.host=localhost

For production environments, security should always be enabled by configuring a TLS context and method of user authentication.

Securing an EFM instance starts with configuring a TLS context, also known as an SSL context. Enabling TLS enforces that all usage of the EFM web application as well as agent communication is authenticated and that the authenticated user or agent is allowed to perform requested actions based on policies.

Settings for the EFM TLS context are configured using the efm.server.ssl.* prefixed properties in the efm.properties file: 
efm.server.ssl.enabled=true
efm.server.ssl.keyStore=/path/to/keystore.jks
efm.server.ssl.keyStoreType=jks
efm.server.ssl.keyStorePassword=keyStorePassword
efm.server.ssl.keyPassword=keyPassword
efm.server.ssl.trustStore=/path/to/truststore.jks
efm.server.ssl.trustStoreType=jks
efm.server.ssl.trustStorePassword=trustStorePassword
efm.server.ssl.clientAuth=WANT
Where,
  • efm.server.ssl.enabled

    Set to true to enable TLS and secure EFM.

  • efm.server.ssl.keyStore

    The file path to the keystore containing the EFM TLS keypair.

  • efm.server.ssl.keyStoreType

    Set to jks or pkcs12 depending on the format of the keystore. Other formats are not supported.

  • efm.server.ssl.keyStorePassword

    The passphrase for the keystore.

  • efm.server.ssl.keyPassword

    The passphrase for the key in the keystore.

  • efm.server.ssl.trustStore

    The file path to the truststore containing the public certificates of the Certificate Authorities (CA) trusted by EFM.

  • efm.server.ssl.trustStoreType

    Set to jks or pkcs12 depending on the format of the truststore. Other formats are not supported.

  • efm.server.ssl.trustStorePassword

    The passphrase for the truststore.

  • efm.server.ssl.clientAuth

    Set to WANT to allow MiNiFi agents to authenticate to EFM with TLS client certificates, but allow users to use an alternative form of authentication (such as SSO). If users are also using mutual TLS with client certificates in browsers, then this can be set to NEED.

For more information regarding generating keystores and truststores for EFM, see TLS keys and certificates.