TLS keys and certificates

When using Cloudera Edge Management, sensitive information is sent over the network between Edge Flow Manager and MiNiFi agents including configuration files that contain passwords. To secure this transfer, you must configure Transport Layer Security (TLS) encryption.

TLS is an industry standard set of cryptographic protocols for securing communications over a network.

Configuring TLS involves creating a private key and a public key for use by server and client processes to negotiate an encrypted connection. In addition, TLS can use certificates to verify the trustworthiness of keys presented during the negotiation to prevent spoofing and mitigate other potential security issues.

Because TLS keys and certificates are usually specific to each enterprise organization, Cloudera Edge Management needs these details manually configured.

To secure Cloudera Edge Management through TLS, you need the following:

  • A Certificate Authority (CA) or intermediate signing authority public certificate, used to sign certificates and verify trust. Edge Flow Manager uses this certificate in its truststore in order to verify the identity of MiNiFi agents by validating their certificates. MiNiFi agents use this certificate in their truststores in order to verify the identity of the Edge Flow Manager servers by validating their certificates.

  • A public and private keypair for Edge Flow Manager signed by the CA, recommended one per host when doing a cluster deployment.

  • A public and private keypair for MiNiFi agents signed by the CA, recommended one per agent.

Before configuring TLS, ensure that the certificates used meet the requirements.

Certificate requirements

  • The Edge Flow Manager KeyStore must be in Java KeyStore (JKS) or PKCS #12 (PKCS12 aka .p12) format.

  • The Edge Flow Manager KeyStore can contain one or more private key entries. If multiple entries are used, Edge Flow Manager must be configured accordingly. For more information, see TLS configuration for Edge Flow Manager.

  • The X509v3 KeyUsage section of the certificate must include the following attributes:
    • DigitalSignature

    • Key_Encipherment

  • The X509v3 ExtendedKeyUsages section of EFM and MiNiFi agent certificates must include the following attributes:
    • clientAuth

    • serverAuth

  • The signature algorithm used for certificates must be sha256WithRSAEncryption (SHA-256).

  • For Edge Flow Manager certificates, Subject Alternate Names (SANs) are mandatory and should at least include the FQDN of the host.

  • Additional names for the certificate and host can be added to the certificate as SANs.
    • Add the FQDN used for the Common Name (CN) as a DNS SAN entry.

    • If you are planning to use a load balancer for an Edge Flow Manager cluster, include the FQDN for the load balancer as a DNS SAN entry.

Cloudera recommends the following security protocols:

  • Use certificates that are signed by a CA. Do not issue self-signed certificates.

  • Generate a unique certificate per host, including MiNiFi agents. Do not use wildcard certificates.