(Recommended) Enable Auto-TLS

Auto-TLS greatly simplifies the process of enabling and managing TLS encryption on your cluster.

Auto-TLS automates the creation of an internal certificate authority (CA) and deployment of certificates across all cluster hosts. It can also automate the distribution of existing certificates, such as those signed by a public CA. Adding new cluster hosts or services to a cluster with auto-TLS enabled automatically creates and deploys the required certificates.

You can enable auto-TLS on existing clusters. If you do not want to enable auto-TLS right now, skip this section and continue to Step 4: Install and Configure Databases. Enabling auto-TLS on existing clusters is not supported if you are using the Cloudera Manager CA as an intermediate CA to an existing internal root CA, so if you want to use this option, you must enable auto-TLS now using the procedure documented in Enabling Auto-TLS with an Existing Root CA.

To enable auto-TLS with an embedded Cloudera Manager CA, run the following command:

export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre; /opt/cloudera/cm-agent/bin/certmanager setup --configure-services

OpenJDK version 8u232 is included in the Cloudera Manager repository. If you chose to install the JDK with Cloudera Manager, Cloudera Manager used version 8u232. If you are using a JDK other than OpenJDK 8u232, replace java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64 with your JDK. If you want to store the files in a directory other than the default (/var/lib/cloudera-scm-server/certmanager), add the --location option as follows:

export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre; /opt/cloudera/cm-agent/bin/certmanager --location /opt/cloudera/CMCA setup --configure-services

Check the /var/log/cloudera-scm-agent/certmanager.log log file to confirm that the /var/lib/cloudera-scm-server/certmanager/* directories were created.

When you start Cloudera Manager Server, it will have TLS enabled, and all hosts that you add to the cluster, as well as any supported services, will automatically have TLS configured and enabled.