Cloudera Docs

TLS configuration for EFM

Learn about the properties that you need to set to configure TLS for Edge Flow Manager.

When TLS is disabled, Edge Flow Manager runs in an unsecured mode where the web endpoints are accessible over HTTP on all network interfaces and clients are not authenticated. When unsecured, all clients are anonymous and have full access to the application. For this reason, insecure mode should only be used for test or development purposes and when Edge Flow Manager is not accessible through the public Internet.

Limiting the network interfaces that the web server binds to is configurable in the efm.properties file.
efm.web.host=localhost

For production environments, security should always be enabled by configuring a TLS context and method of user authentication.

Securing an Edge Flow Manager instance starts with configuring a TLS context, also known as an SSL context. Enabling TLS enforces that all usage of the Edge Flow Manager web application as well as agent communication is authenticated and that the authenticated user or agent is allowed to perform requested actions based on policies.

Settings for the Edge Flow Manager TLS context are configured using the efm.server.ssl.* prefixed properties in the efm.properties file: 
efm.server.ssl.enabled=true
efm.server.ssl.keyStore=/path/to/keystore.jks
efm.server.ssl.keyStoreType=jks
efm.server.ssl.keyStorePassword=keyStorePassword
efm.server.ssl.keyPassword=keyPassword
efm.server.ssl.trustStore=/path/to/truststore.jks
efm.server.ssl.trustStoreType=jks
efm.server.ssl.trustStorePassword=trustStorePassword
efm.server.ssl.clientAuth=WANT
efm.server.ssl.keyAlias=
efm.server.serviceUserKeyAlias=
Where,
  • efm.server.ssl.enabled

    Set to true to enable TLS and secure Edge Flow Manager.

  • efm.server.ssl.keyStore

    The file path to the keystore containing the Edge Flow Manager TLS keypair.

  • efm.server.ssl.keyStoreType

    Set to jks or pkcs12 depending on the format of the keystore. Other formats are not supported.

  • efm.server.ssl.keyStorePassword

    The passphrase for the keystore.

  • efm.server.ssl.keyPassword

    The passphrase for the key in the keystore.

  • efm.server.ssl.trustStore

    The file path to the truststore containing the public certificates of the Certificate Authorities (CA) trusted by Edge Flow Manager.

  • efm.server.ssl.trustStoreType

    Set to jks or pkcs12 depending on the format of the truststore. Other formats are not supported.

  • efm.server.ssl.trustStorePassword

    The passphrase for the truststore.

  • efm.server.ssl.clientAuth

    Set to WANT to allow MiNiFi agents to authenticate to Edge Flow Manager with TLS client certificates, but allow users to use an alternative form of authentication (such as SSO). If users are also using mutual TLS with client certificates in browsers, then this can be set to NEED.

  • efm.server.ssl.keyAlias and efm.server.serviceUserKeyAlias

    • If you have a keystore with a single private key entry (see Example 1 from the TLS key and certificate examples), leave efm.server.ssl.keyAlias and efm.server.serviceUserKeyAlias commented out.

    • If you have a keystore with multiple elements, for example separate keys for Edge Flow Manager internal and external SSL communication (see Example 2 from the TLS key and certificate examples), set both of these properties.

    • If you have a keystore with multiple private key entries, configure the properties as follows:
      • efm.server.ssl.keyAlias=server
      • efm.server.serviceUserKeyAlias=service