Cloudera Docs

Configuring TLS CA certificates using CDE CLI

The CDE CLI is currently configured using insecure mode. You can manually generate the CA certificates for CDE domains and configure the CLI in a secured mode.

This procedure must be performed in your CDP cluster only when you configure CDE CLI with TLS for the first time.

Ensure that the following conditons are met:

  • A CDE Service and a virtual cluster are installed.
  • CDE CLI for the correct host machine is downloaded.
  • You are using OpenSSL to generate certificates for the domains.
  1. Generate certificate for the CDP domain.
    1. Get the domain information from the CDE landing page URL.
    2. Run the following command using the URL obtained from the preceding step: 
      openssl s_client -showcerts -servername [***CDE LANDING PAGE URL***] -connect [***CDE LANDING PAGE URL***]:443 </dev/null
    3. Copy both the certificates from the logs of the command in the preceding step.
    4. Paste the certificates one after the other with a line space between them and save the file as cdp.pem.
  2. Generate certificate for the CDE domain.
    1. Go to the cluster details page in CDE and copy the URL of the Grafana charts.
      The URL of the Grafana charts looks like https://[***GRAFANA CHARTS DOMAIN***]/grafana/d/sK1XDusZz/kubernetes. Copy the Grafana charts domain from that URL.
    2. Run the following command using the Grafana charts domain obtained from the preceding step: 
      openssl s_client -showcerts -servername [***GRAFANA CHARTS DOMAIN***] -connect [***GRAFANA CHARTS DOMAIN***]:443 </dev/null
    3. Copy both the certificates from the logs of the command in the preceding step.
    4. Paste the certificates one after the other with a line space between them and save the file as cde.pem.
  3. Generate certificates for the virtual cluster domain.
    1. Go to the virtual cluster details page and click Jobs.
      The Jobs URL looks like https://[***VIRTUAL CLUSTER DOMAIN***]/dex/ui/. Copy the [***VIRTUAL CLUSTER DOMAIN***] from that URL.
    2. Run the following command using the Virtual Cluster domain obtained from the preceding step: 
      openssl s_client -showcerts -servername [***VIRTUAL CLUSTER DOMAIN***] -connect [***VIRTUAL CLUSTER DOMAIN***]:443 </dev/null
    3. Copy both the certificates from the logs of the command in the preceding step.
    4. Paste the certificates one after the other with a line space between them in the vc.pem file and save the file.
  4. Run the following command to combine all the certificate files into a single file named all_certs.pem: 
    cat cdp.pem cde.pem vc.pem >> all_certs.pem
  5. Add the certificates PEM file details in the config.yml file using the tls-ca-certs key.
    The config.yml file should look as follows:
    vcluster-endpoint: [***YOUR VIRTUAL CLUSTER ENDPOINT***]
tls-ca-certs: [***PATH TO all_certs.pem FILE***]