Configuring TLS Encryption for Cloudera Manager Using Auto-TLS
Use Auto-TLS to simplify the process of configuring TLS encryption for Cloudera
Manager.
Auto-TLS greatly simplifies the process of enabling and managing TLS
encryption on your cluster. It automates the creation of an internal certificate
authority (CA) and deployment of certificates across all cluster hosts. It can also
automate the distribution of existing certificates, such as those signed by a public CA.
Adding new cluster hosts or services to a cluster with auto-TLS enabled automatically
creates and deploys the required certificates.
Auto-TLS Requirements and Limitations🔗
You must install the Cloudera Manager Agent software on the Cloudera Manager Server
host.
You can enable auto-TLS using certificates created and managed by a Cloudera Manager
certificate authority (CA), or certificates signed by a trusted public CA or your own
internal CA. If you want to use a trusted public CA or your own internal CA, you must
obtain all of the host certificates before enabling auto-TLS. For instructions on
obtaining certificates from a CA, see On Each Cluster Host:.
The following
services support auto-TLS:
Atlas
Cloudera Manager Host Monitor Debug Interface
Cloudera Manager Service Monitor Debug Interface
HBase
HDFS Client Configuration
HDFS NameNode Web UI
Hive-on-Tez
HiveServer2
HttpFS
Hue Client
Hue Load Balancer
Hue Server
Impala Catalog Server
Impala Server
Impala StateStore
Java Keystore Key Management Server (KMS)
Kafka Broker Server
Kafka Mirrormaker
Kudu
Livy
Oozie
Phoenix
Ranger
Safenet Luna Hardware Security Modules (HSM) KMS
Solr
Spark History Server
YARN Web UI
Zeppelin
ZooKeeper
For unlisted services, you must enable TLS manually. See the applicable
component guide for more information.
Ensure, that QuorumSSL (Secure ZooKeeper) is enabled only if QuorumSASL (Server to
server SASL authentication) is also enabled. Note, that QuorumSSL is enabled by
default if AutoTLS is enabled. If QuorumSSL is enabled without QuorumSASL, then the
ZooKeeper cluster can be slow to start due to some known ZooKeeper limitations.
The certmanager Utility🔗
Auto-TLS is managed using the certmanager utility, which is included in
the Cloudera Manager Agent software, and not the Cloudera Manager Server software. You
must install the Cloudera Manager Agent software on the Cloudera Manager Server host to be
able to use the utility. You can use certmanager to manage auto-TLS on a
new installation.
The directory where certmanager stores all of its files on the
Cloudera Manager Server host. If omitted, defaults to
/var/lib/cloudera-scm-server/certmanager. This directory is
created automatically, and must not exist before running the command. If it does
exist, you can use the --rotate argument (documented below) to
back up the existing directory and create a new one in its place.
Adds a custom certificate and key for a host. Use this command only if you have
configured a custom certificate directory (using the
setup_custom_certdir command). You must run this command before
adding a host in Cloudera Manager.
export_ca_cert
Displays the Cloudera Manager internal CA certificate. You can export the
certificate to a file using a redirect operator (> or
>>).
setup
Initializes the certificate manager and the internal CA, and configures Cloudera
Manager Server to enable auto-TLS.
--configure-services
Configures Cloudera Manager Server to enable automatic configuration of TLS
for supported components, such as HDFS, YARN, and so on. If you omit this
option, auto-TLS will only be configured for Cloudera Manager agent/server
communication.
--rotate
Backs up the certmanager root directory
(/var/lib/cloudera-scm-server/certmanager by default, or
specified by the --location option) if it exists, and creates
a new one in its place. If the directory does not exist, it is created. If the
directory exists, and you do not use the --rotate argument,
the command fails.
--override ca_dn="<CA_DN>"
Overrides the default CA distinguished name (DN) with the provided DN. Use
this if your environment requires that the common name (CN) matches the
hostname. For example:
--override ca_dn="CN=cm01,DC=example,DC=com"
--stop-at-csr
Stops the setup process after generating the private key and certificate
signing request (CSR) for an intermediate CA certificate, and outputs the CSR
file location to the screen. Submit the provided CSR to your internal root CA
for signing. After receiving the signed intermediate CA certificate, continue
the setup using the --signed-ca-cert parameter.
When using the --stop-at-csr and
--signed-ca-cert arguments, make sure that the remaining
command options and arguments are the same.
--signed-ca-cert=<intermediate_CA_cert>
Resumes the setup process using the provided signed intermediate CA
certificate.
When using the --stop-at-csr and
--signed-ca-cert arguments, make sure that the remaining
command options and arguments are the same.
setup_custom_certdir
Initializes the certificate manager using a custom certificate directory. Use
this command if you are using existing certificates signed by a trusted public CA
or your own internal CA.
--configure-services
Configures Cloudera Manager Server to enable automatic configuration of TLS
for supported components, such as HDFS, YARN, and so on. If you omit this
option, auto-TLS will only be configured for Cloudera Manager agent/server
communication.
--rotate
Backs up the certmanager root directory
(/var/lib/cloudera-scm-server/certmanager by default, or
specified by the --location option) if it exists, and creates
a new one in its place. If the directory does not exist, it is created. If the
directory exists, and you do not use the --rotate argument,
the command fails.
Rotating Auto-TLS Certificate Authority and Host Certificates🔗
Your cluster security requirements may require that you rotate the auto-TLS CA and
certificates.
Navigate to Administration > Security. Click the Rotate Auto-TLS Certificates button to
launch the wizard.
Complete the wizard.
Auto-TLS Agent File Locations🔗
The certificates, keystores, and password files generated by auto-TLS are stored in
/var/lib/cloudera-scm-agent/agent-cert on each Cloudera Manager Agent.
The filenames are as follows:
Table 1. Auto-TLS Agent Files
Filename
Description
cm-auto-global_cacerts.pem
CA certificate and other trusted certificates in PEM format
cm-auto-global_truststore.jks
CA certificate and other trusted certificates in JKS format
cm-auto-in_cluster_ca_cert.pem
CA certificate in PEM format
cm-auto-in_cluster_truststore.jks
CA certificate in JKS format
cm-auto-host_key_cert_chain.pem
Agent host certificate and private key in PEM format
cm-auto-host_cert_chain.pem
Agent host certificate in PEM format
cm-auto-host_key.pem
Agent host private key in PEM format
cm-auto-host_keystore.jks
Agent host private key in JKS format
cm-auto-host_key.pw
Agent host private key password file
We want your opinion
How can we improve this page?
What kind of feedback do you have?
This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, enhanced user experience, or advertising. You may choose to consent to our use of these technologies, or