Assumptions and Requirements
How to Configure TLS Encryption for Cloudera Manager, and that the cluster has been operational using those certificates. This table recaps recommended paths to various security artifacts:
Example | Description |
---|---|
/opt/cloudera/security |
Base path for security-related files. |
/opt/cloudera/security/pki |
Path for all security artifacts associated with TLS/SSL, including keys,
keystores (keystore.jks) , CSR, and root- and
intermediate-CA certificates. |
/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/jssecacerts |
Path to the default alternative Java truststore on a Cloudera Manager Server host system. |
This guide assumes that the Cloudera Manager Server host uses the
jssecacerts
truststore and includes all CA
certs from cacerts
and any intermediate CA
certificates needed to enable successful chain of trust traversal during
handshake.
sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts
Use Cloudera Manager Admin Console to check TLS/SSL configuration details for the cluster and services, and to verify paths to keys and keystores, certificates, and trust stores configured for each service. These do not need to be re-enabled or changed (unless you replace existing keys with new ones as part of this process), but you can note all paths and names of all TLS-related security artifacts before you begin.
Certificates and keys may have been converted from one format to another (as detailed in
How to Convert File Encodings (DER, JKS, PEM) for TLS/SSL Certificates and Keys
).
That means that a CSR may have been used to obtain a JKS formatted certificate for one
service that was then converted to PEM for use by another service (or services) running on
the same node of the cluster as needed.
Check Certificate Expiration Dates
Expiry
in the Cloudera Management Service configuration page
( ).If you do not know the expiration dates for certificates installed on the cluster, use OpenSSL (for PEM-formatted certificates) or use Java Keytool (for JKS-formatted certificates) to determine certificate expiration dates.
PEM-formatted certificates (PKCS #8) are used by Cloudera Manager Agent hosts, Hue, Impala
and other Python-based services, while JKS-formatted certificates are used by HDFS,
MapReduce, and YARN, for example. See Understanding Keystores and Truststores
for
more information.
Using OpenSSL to Obtain Certificate Details
openssl
and the certificate by
name:openssl x509 -enddate -noout -in /opt/cloudera/security/pki/$(hostname -f)-server.cert.pem
To check expiration dates by querying the active listener ports for any TLS-enabled services from the command line, use OpenSSL as in this example of querying the Cloudera Manager TLS listener port (7183):
echo | openssl s_client -connect fqdn.example.com:7183 2>/dev/null | openssl x509 -noout -subject -dates
subject=/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org notBefore=Nov 3 00:00:00 2015 GMT notAfter=Nov 28 12:00:00 2018 GMT
Using Java Keytool to Obtain Certificate Details
keytool -list -v -keystore keystore_name.jks