(Recommended) Enable Auto-TLS
Auto-TLS greatly simplifies the process of enabling and managing TLS encryption on your cluster.
Auto-TLS automates the creation of an internal certificate authority (CA) and deployment of certificates across all cluster hosts. It can also automate the distribution of existing certificates, such as those signed by a public CA. Adding new cluster hosts or services to a cluster with auto-TLS enabled automatically creates and deploys the required certificates.
You can enable auto-TLS on existing clusters. If you do not want to enable auto-TLS right now, skip this section and continue to Step 4: Install and Configure Databases. Enabling auto-TLS on existing clusters is not supported if you are using the Cloudera Manager CA as an intermediate CA to an existing internal root CA, so if you want to use this option, you must enable auto-TLS now using the procedure documented in Enabling Auto-TLS with an Existing Root CA.
To enable auto-TLS with an embedded Cloudera Manager CA, run the following command:
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre; /opt/cloudera/cm-agent/bin/certmanager setup --configure-services
OpenJDK version 8u232 is included in the Cloudera Manager repository. If you chose to install
the JDK with Cloudera Manager, Cloudera Manager used version 8u232. If you are using a JDK
other than OpenJDK 8u232, replace
java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64
with
your JDK. If you want to store the files in a directory other than the default
(/var/lib/cloudera-scm-server/certmanager
), add the
--location
option as follows:
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre; /opt/cloudera/cm-agent/bin/certmanager --location /opt/cloudera/CMCA setup --configure-services
Check the /var/log/cloudera-scm-agent/certmanager.log
log file to confirm
that the /var/lib/cloudera-scm-server/certmanager/*
directories were
created.
When you start Cloudera Manager Server, it will have TLS enabled, and all hosts that you add to the cluster, as well as any supported services, will automatically have TLS configured and enabled.