Configuring TLS Encryption for Cloudera Manager Using Auto-TLS
Use Auto-TLS to simplify the process of configuring TLS encryption for Cloudera Manager.
Auto-TLS greatly simplifies the process of enabling and managing TLS encryption on your cluster. It automates the creation of an internal certificate authority (CA) and deployment of certificates across all cluster hosts. It can also automate the distribution of existing certificates, such as those signed by a public CA. Adding new cluster hosts or services to a cluster with auto-TLS enabled automatically creates and deploys the required certificates.
Auto-TLS Requirements and Limitations
- You must install the Cloudera Manager Agent software on the Cloudera Manager Server host.
- You can enable auto-TLS using certificates created and managed by a Cloudera Manager
certificate authority (CA), or certificates signed by a trusted public CA or your own
internal CA. If you want to use a trusted public CA or your own internal CA, you must
obtain all of the host certificates before enabling auto-TLS. For instructions on
obtaining certificates from a CA, see On Each Cluster Host:.
The following services support auto-TLS:
- Atlas
- Cloudera Manager Host Monitor Debug Interface
- Cloudera Manager Service Monitor Debug Interface
- HBase
- HDFS Client Configuration
- HDFS NameNode Web UI
- Hive-on-Tez
- HiveServer2
- HttpFS
- Hue Client
- Hue Load Balancer
- Hue Server
- Impala Catalog Server
- Impala Server
- Impala StateStore
- Java Keystore Key Management Server (KMS)
- Kafka Broker Server
- Kafka Mirrormaker
- Kudu
- Livy
- Oozie
- Phoenix
- Ranger
- Safenet Luna Hardware Security Modules (HSM) KMS
- Solr
- Spark History Server
- YARN Web UI
- Zeppelin
- ZooKeeper
For unlisted services, you must enable TLS manually. See the applicable component guide for more information.
- Ensure, that QuorumSSL (Secure ZooKeeper) is enabled only if QuorumSASL (Server to server SASL authentication) is also enabled. Note, that QuorumSSL is enabled by default if AutoTLS is enabled. If QuorumSSL is enabled without QuorumSASL, then the ZooKeeper cluster can be slow to start due to some known ZooKeeper limitations.
The certmanager
Utility
Auto-TLS is managed using the certmanager
utility, which is included in
the Cloudera Manager Agent software, and not the Cloudera Manager Server software. You
must install the Cloudera Manager Agent software on the Cloudera Manager Server host to be
able to use the utility. You can use certmanager
to manage auto-TLS on a
new installation.
The certmanager
syntax is as follows:
/opt/cloudera/cm-agent/bin/certmanager [OPTIONS] COMMAND [ARGS]...
- Options:
--location <certmanager-dir-root>
The directory where
certmanager
stores all of its files on the Cloudera Manager Server host. If omitted, defaults to/var/lib/cloudera-scm-server/certmanager
. This directory is created automatically, and must not exist before running the command. If it does exist, you can use the--rotate
argument (documented below) to back up the existing directory and create a new one in its place.The agent host certificates and other files are stored elsewhere on each agent (see Auto-TLS Agent File Locations).
--help
Displays the help message.
- Commands:
-
add_custom_cert
Adds a custom certificate and key for a host. Use this command only if you have configured a custom certificate directory (using the
setup_custom_certdir
command). You must run this command before adding a host in Cloudera Manager. -
export_ca_cert
Displays the Cloudera Manager internal CA certificate. You can export the certificate to a file using a redirect operator (
>
or>>
). -
setup
Initializes the certificate manager and the internal CA, and configures Cloudera Manager Server to enable auto-TLS.
-
--configure-services
Configures Cloudera Manager Server to enable automatic configuration of TLS for supported components, such as HDFS, YARN, and so on. If you omit this option, auto-TLS will only be configured for Cloudera Manager agent/server communication.
-
--rotate
Backs up the
certmanager
root directory (/var/lib/cloudera-scm-server/certmanager
by default, or specified by the--location
option) if it exists, and creates a new one in its place. If the directory does not exist, it is created. If the directory exists, and you do not use the--rotate
argument, the command fails. -
--override ca_dn="<CA_DN>"
Overrides the default CA distinguished name (DN) with the provided DN. Use this if your environment requires that the common name (CN) matches the hostname. For example:
--override ca_dn="CN=cm01,DC=example,DC=com"
-
--stop-at-csr
Stops the setup process after generating the private key and certificate signing request (CSR) for an intermediate CA certificate, and outputs the CSR file location to the screen. Submit the provided CSR to your internal root CA for signing. After receiving the signed intermediate CA certificate, continue the setup using the
--signed-ca-cert
parameter.When using the
--stop-at-csr
and--signed-ca-cert
arguments, make sure that the remaining command options and arguments are the same. -
--signed-ca-cert=<intermediate_CA_cert>
Resumes the setup process using the provided signed intermediate CA certificate.
When using the
--stop-at-csr
and--signed-ca-cert
arguments, make sure that the remaining command options and arguments are the same.
-
-
setup_custom_certdir
Initializes the certificate manager using a custom certificate directory. Use this command if you are using existing certificates signed by a trusted public CA or your own internal CA.
-
--configure-services
Configures Cloudera Manager Server to enable automatic configuration of TLS for supported components, such as HDFS, YARN, and so on. If you omit this option, auto-TLS will only be configured for Cloudera Manager agent/server communication.
-
--rotate
Backs up the
certmanager
root directory (/var/lib/cloudera-scm-server/certmanager
by default, or specified by the--location
option) if it exists, and creates a new one in its place. If the directory does not exist, it is created. If the directory exists, and you do not use the--rotate
argument, the command fails.
-
-
Rotating Auto-TLS Certificate Authority and Host Certificates
Your cluster security requirements may require that you rotate the auto-TLS CA and certificates.
- Navigate to Rotate Auto-TLS Certificates button to launch the wizard. . Click the
- Complete the wizard.
Auto-TLS Agent File Locations
The certificates, keystores, and password files generated by auto-TLS are stored in
/var/lib/cloudera-scm-agent/agent-cert
on each Cloudera Manager Agent.
The filenames are as follows:
Filename | Description |
---|---|
cm-auto-global_cacerts.pem |
CA certificate and other trusted certificates in PEM format |
cm-auto-global_truststore.jks |
CA certificate and other trusted certificates in JKS format |
cm-auto-in_cluster_ca_cert.pem |
CA certificate in PEM format |
cm-auto-in_cluster_truststore.jks |
CA certificate in JKS format |
cm-auto-host_key_cert_chain.pem |
Agent host certificate and private key in PEM format |
cm-auto-host_cert_chain.pem |
Agent host certificate in PEM format |
cm-auto-host_key.pem |
Agent host private key in PEM format |
cm-auto-host_keystore.jks |
Agent host private key in JKS format |
cm-auto-host_key.pw |
Agent host private key password file |