(Recommended) Enable Auto-TLS
Auto-TLS greatly simplifies the process of enabling and managing TLS encryption on your cluster.
Auto-TLS automates the creation of an internal certificate authority (CA) and deployment of certificates across all cluster hosts. It can also automate the distribution of existing certificates, such as those signed by a public CA. Adding new cluster hosts or services to a cluster with auto-TLS enabled automatically creates and deploys the required certificates.
You can enable auto-TLS on existing clusters. If you do not want to enable auto-TLS right now, skip this section and continue to Step 4: Install and Configure Databases. Enabling auto-TLS on existing clusters is not supported if you are using the Cloudera Manager CA as an intermediate CA to an existing internal root CA, so if you want to use this option, you must enable auto-TLS now using the procedure documented in Enabling Auto-TLS with an Existing Root CA.
To enable auto-TLS with an embedded Cloudera Manager CA, run the following command:
sudo JAVA_HOME=/usr/java/jdk1.8.0_181-cloudera /opt/cloudera/cm-agent/bin/certmanager setup --configure-services
Replace jdk1.8.0_181-cloudera
with your JDK version. If
you want to store the files in a directory other than the default
(/var/lib/cloudera-scm-server/certmanager
), add the
--location
option as follows:
sudo JAVA_HOME=/usr/java/jdk1.8.0_181-cloudera /opt/cloudera/cm-agent/bin/certmanager --location /opt/cloudera/CMCA setup --configure-services
Check the /var/log/cloudera-scm-agent/certmanager.log
log file to confirm
that the /var/lib/cloudera-scm-server/certmanager/*
directories were
created.
When you start Cloudera Manager Server, it will have TLS enabled, and all hosts that you add to the cluster, as well as any supported services, will automatically have TLS configured and enabled.